Troj/Bancban-BN

Aliases	Trojan-Spy.Win32.Banker.kb
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	April 2005 (3.92)
Protection available since	25 February 2005 07:47:55 (GMT)
Detected by	All Sophos products

Troj/Bancban-BN is a Trojan that attempts to steal banking details.

Troj/Bancban-BN may download and run another file, storing it in the Windows system folder as ACTIVE_URL.DLL.

Stolen information is sent to a remote user by email.

Troj/Bancban-BN creates the following registry entry in order to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
taskmrg.exe
<path to Trojan>

Troj/Bancban-BN may create a number of files in the Windows system folder, including files with any of the following names:

ARQVER.DLL
EXECONFIG.DLL
BAN.TXT
BB.TXT
BRA.TXT
BRB.TXT
CAI.TXT
EQUI.TXT
GF.TXT
HSBC.TXT
ITA.TXT
REA.TXT
SAN.TXT
SER.TXT
UNI.TXT

Get reports about the latest virus and spyware threats delivered to your computer