Troj/Bancos-BT

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
foxwudy9912
"unicox.exe"

and delete it if it exists.

Close the registry editor.

Troj/Bancos-BT is a password-stealing Trojan targeted at certain Brazilian online banking websites.

The Trojan displays fake login screens to a number of Brazilian banks that offer online services in an attempt to steal bank account details.

Troj/Bancos-BT is comprised of a multicomponent dropper and a main executable.

Upon execution the dropper creates in Windows system folder and runs the main executable with the filename marcx.exe, clean text files called foxdll.vxd and first.dll, and a clean DLL with the filename crss1.ocx which provides an SMTP Control for Visual Basic files.

A copy of the Trojan main executable is also created in the Windows help folder with the filename unicox.exe.

In order to be able to run automatically when Windows starts up, Troj/Bancos-BT sets the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
foxwudy9912
"unicox.exe"

Troj/Bancos-BT also sets a number of registry entries related to the SMTP control DLL.