Troj/Bancos-BY

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Service Registry NT Save =
%Windows%\taskmgrnt.exe

and delete it if it exists.

Close the registry editor.

Troj/Bancos-BY is a password-stealing Trojan targeted at Brazilian online banking websites.

Troj/Bancos-BY monitors internet browsing for specific banking application websites. When such sites are accessed the Trojan may display fake login screens in order to lure the user into entering confidential login details which the Trojan steals. Stolen information is sent via email to the author. Troj/Bancos-BY is a password-stealing Trojan targeted at Brazilian online banking websites.

Troj/Bancos-BY monitors internet browsing for specific banking application websites. When such sites are accessed the Trojan may display fake login screens in order to lure the user into entering confidential login details which the Trojan steals. Stolen information is sent via email to the author.

Troj/Bancos-BY copies itself to the Windows folder as "taskmgrnt.exe" and sets the following registry entry in order to run automatically on computer login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Service Registry NT Save =
%Windows%\taskmgrnt.exe

The Trojan also creates a text file in the same folder named "rumlog.dat".