Troj/Bandok-J

Please follow the instructions for removing Trojans.

Troj/Bandok-J is a downloader and backdoor Trojan for the Windows platform.

When first installed, Troj/Bandok-J attempts to download and install further malware components to enhance its functionality. These components are typically .dll files, with functionality such as logging keypresses, taking screenshots, controlling WebCams, and stealthing using rootkit techniques.

These components are detected by Sophos as Troj/Bandok, Troj/BanBot or Troj/Bckdr variants. Some Troj/Bandok variants may also install commercial password recovery tools, so that remote intruders can misuse them to steal passwords to mail accounts.

Troj/Bandok-J may inject code into other processes in an attempt to hide its activity. It may also attempt to terminate various security related processes.

When first run Troj/Bandok-J copies itself to <System>\ali.exe.

The following registry entries are created to run ali.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Bandook
<System>\ali.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
*Bandook
<System>\ali.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(B6A807N6-42DF-4W02-93E5-B156B3FA8AL1)
StubPath
<System>\ali.exe

Troj/Bandok-J may also change the following registry entry, if it exists, in an attempt to bypass some firewalls:

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\GloballyOpenPorts\List