Troj/Banker-CZ

Aliases	Trojan-Spy.Win32.Banker.ii TSPY_BANCBAN.MA
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Included in our products from	July 2005 (3.95)
Protection available since	2 June 2005 13:22:44 (GMT)
Detected by	All Sophos products

Troj/Banker-CZ is an internet banking Trojan.

Troj/Banker-CZ includes functionality to disable other applications, steal confidential information and capture keystrokes.

When Troj/Banker-CZ is installed it creates the file <System>\D5133\words.vxd. This file may be deleted.

The following registry entry is created to run csrss.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Norton Protect Activies
<System>\D5133\csrss.exe

Troj/Banker-CZ attempts to disable the following processes:

NAVAP Wnd Class
ccAppWindow
Navapw32.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\Shell
Nome_Email_Definido
<random number>.bkp

Get reports about the latest virus and spyware threats delivered to your computer