high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | March 2005 (3.91) |
| Protection available since | 26 January 2005 22:46:36 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random 3-4 letters>Srv32
<path to file>
and delete it if it exists.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
<random 3-4 letters>Srv32
<path to file>
and delete it if it exists.
Close the registry editor.
More Information
Troj/Bancsde-A is a multi-component Trojan which attempts to steal online banking details for accounts related to certain banks in Germany.
The downloader component of Troj/Bancsde-A which may have been seeded out runs Microsoft Internet Explorer (iexplore.exe) and injects code within the running process to download and execute a file called xxde.exe from a remote URL.
The file xxde.exe drops and executes a file called <random 3-4 letters>svr.exe within the Windows folder and creates the following registry entry to run the dropped file on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random 3-4 letters>Srv32
<path to file>
The dropped file which is the main Trojan component contains HTML scripts within its body which the Trojan attempts to use to display web pages which pretend to be legitimate online banking login pages. This file may drop two DLLs called iexml.dll and iempview.dll within the Windows folder and inject them into the process space of ieplore.exe.
The DLLs are used to relay stolen information to a remote PHP script.
The main component may create the following registry entry to run itself on system restart:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random 3-4 letters>Srv32
<path to file>
Troj/Bancsde-A also creates the following registry entries to reduce the browser security settings:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnPostRedirect
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnZoneCrossing
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609
0
|
