high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | June 2006 (4.06) |
| Protection available since | 6 October 2004 08:52:21 (GMT) |
| Last updated | 20 April 2006 09:01:26 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
Safe = <path to Trojan EXE>
and delete it if it exists.
Close the registry editor.
More Information
Troj/Banker-DT is a password stealing Trojan aimed primarily at users of Brazilian banks.
Troj/Banker-DT may arrive as a self-extracting archive file. When first run, the archive will drop one EXE file and two DLL files. All of these files are detected as Troj/Banker-DT.
In order to run automatically each time Windows is started, Troj/Banker-DT will set the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Safe = <path to Trojan EXE>
Troj/Banker-DT will monitor a user's internet access. When certain pre-defined URLs are viewed, Troj/Banker-DT will record the user's keyboard presses and mouse movements. The Trojan will take screenshots of the user's activity.
Periodically, Troj/Banker-DT will archive the stolen information and email it to a Brazilian email address.
The following URLs are monitored:
http://www.bradesco.com.br
https://wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGIN
https://wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGINCHK#top
https://officebanking.bradesco.com.br/pj/iniciasessao.asp
http://www.cef.com.br
http://www.caixa.com.br
http://www.caixa.gov.br
http://www.caixaeconomica.com.br
http://www.cef.gov.br
https://internetcaixa.caixa.gov.br/NASApp/SIIBC/index_verif.processa
https://internetcaixa.caixa.gov.br/NASApp/SIIBC/valida
https://internetcaixa.caixa.gov.br/NASApp/SIIBC/senha
http://www.itau.com.br/indexIE.htm
https://bankline.itau.com.br/GRIPNET/gracgi.exe
https://itaubankline.itau.com.br/GRIPNET/gracgi.EXE
http://www.itaupersonnalite.com.br
http://www.banespa.com.br/portal/bnp
https://netbanking2.banespa.com.br/default.asp
http://www.santander.com.br/portal
https://www.santandernet.com.br/default.asp
http://www.hsbc.com.br
https://wwws3.hsbc.com.br/ITE/common/html/frameset.htm
http://www.bancoreal.com.br
http://www.abnamro.com
https://www2.realsecureweb.com.br/scripts/engine_brpi.dll
https://www.realsecureweb.com.br/scripts/engine_brpi.dll
http://www.unibanco.com.br
https://ibpf.unibanco.com.br/index.asp
http://www.bandepe.com.br
https://www128.bandepe.com.br/bol
http://acesso.bol.com.br/login.htm
http://webmail.terra.com.br
http://www.uol.com.br
http://email.uol.com.br
http://www.ig.com.br/v6/br
http://www.serasa.com.br
http://www.equifax.com.br/home.htm
http://www.aol.com.br/alg
http://my.screenname.aol.com/_cqr/login/login.psp?siteId=vatlasaol-br
&authLev=2&mcState=initialized&triedAimAuth=y
http://www.globo.com
http://webmail2.globo.com/jsp/signup/home.jsp
http://www.pop.com.br
http://login.passport.net/uilogin.srf?id=2
http://login.yahoo.com/config/mail?.intl=br
http://zipmail.uol.com.br
http://www.isbt.com.br/default1.asp
http://webmail.isbt.terra.com.br
http://www.ibest.com.br/site/home/1.715.html
http://ibestmail.ibest.com.br
https://www2.bancobrasil.com.br/aapf/aai/login.pbk
|
