Troj/Bancos-BU

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
zsmsgs
%WINDOWS%\iservice.exe

and delete it if it exists.

Close the registry editor.

Troj/Bancos-BU is a password stealing Trojan for the Windows platform that targets customers of Brazilian banks.

Troj/Bancos-BU monitors a user's internet access, and when certain internet banking sites are visited the Trojan will display a fake login screen in order to trick the user into inputting their details. Troj/Bancos-BU is a password stealing Trojan for the Windows platform that targets customers of Brazilian banks.

Once executed Troj/Bancos-BU displays a fake error message, copies itself to the Windows folder with the filename iservice.exe and in order to be able to run automatically when Windows starts up it may set the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
zsmsgs
%WINDOWS%\iservice.exe

Troj/Bancos-BU monitors a user's internet access, and when certain internet banking sites are visited the Trojan will display a fake login screen in order to trick the user into inputting their details.