Troj/Banker-T

Aliases	TrojanSpy.Win32.Agent.n PWS-Etry trojan TROJ_BANKER.N
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	November 2004 (3.87)
Protection available since	14 September 2004 08:11:14 (GMT)
Detected by	All Sophos products

Troj/Banker-T is a password stealing Trojan.

When executed the Trojan creates a folder called tgbcde in the Windows folder and copies itself there as module32.exe.

Troj/Banker-T then creates the following registry entry in order that it may be run on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
tgbcde = "%windows%\tgbcde\module32.exe arg1"

The Trojan changes the Internet Explorer start page by editing the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Start Page

Troj/Banker-T drops a DLL in its folder called library32.dll. The Trojan also creates various text files in which it stores stolen information.

The Trojan runs in the background scanning for passwords which it will periodically try to upload to an internet server by FTP.

Troj/Banker-T will try to terminate varous security-related applications.

Get reports about the latest virus and spyware threats delivered to your computer