How to Prevent and Remove the Trojan-Banker.Win32.Banz.fkr

Bookmark and Share

 

1. What is the Trojan-Banker.Win32.Banz.fkr

Trojan-Banker.Win32.Banz.fkr usually disguises itself as seemingly harmless piece of software or desired files, but hen "open the gates" to other forms of malicious software, spyware or virus etc. Trojan-Banker.Win32.Banz.fkr causes you to open anything for someone else to steal your privacy. Thus, Trojan-Banker.Win32.Banz.fkr can compromise your computer security and leave it open to other dangers. Detect and remove Trojan-Banker.Win32.Banz.fkr immediately!

 

Alias: Trojan.VB [Ikarus]  
 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %Windir%\install.exe 24,576 bytes
2 %Windir%\jsp110327.dll 1,232,384 bytes
3 [file and pathname of the sample #1] 1,339,392 bytes
  • Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

  • The following modules were loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
jsp110327.dll %Windir%\jsp110327.dll Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0xD70000 - 0x1025000
jsp110327.dll %Windir%\jsp110327.dll Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0xD70000 - 0x1025000
  • Notes:
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{331B2978-88FF-11D2-8D96-E7ACAC95951F}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect
      • HKEY_LOCAL_MACHINE\SOFTWARE\Description
      • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft
      • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc
      • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32]
        • (Default) = "%Windir%\jsp110327.dll"
        • ThreadingModel = "Apartment"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}]
        • (Default) = ""
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{331B2978-88FF-11D2-8D96-E7ACAC95951F}]
        • NoExplorer = 0x00000001
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect]
        • dbsq0012.whservidor.com = "-1022427127:tcp:dbsq0012.whservidor.com,1433"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
        • NetworkAddress = AD BB 61 6B F3 65
        • NetworkAddressLocal = 0x00000001

    c. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    200.228.16.33 80
    200.252.60.11 80
    200.98.196.210 1433

    • The data identified by the following URLs was then requested from the remote web server:

      • http://shopping.correios.com.br/correiosonline
      • http://www.correiosonline.com.br/pt_telegrama_sel.asp

     

    3. How-to's

    a. How to prevent the  Trojan-Banker.Win32.Banz.fkr ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Banker.Win32.Banz.fkr Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan-Banker.Win32.Banz.fkr Processes

    IEXPLORE.EXE

    Step 2 : Use Registry Editor to Remove Trojan-Banker.Win32.Banz.fkr Registry Values
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{331B2978-88FF-11D2-8D96-E7ACAC95951F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect
    HKEY_LOCAL_MACHINE\SOFTWARE\Description
    HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft
    HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc
    HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32]
    (Default) = "%Windir%\jsp110327.dll"
    ThreadingModel = "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{331B2978-88FF-11D2-8D96-E7ACAC95951F}]
    (Default) = ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{331B2978-88FF-11D2-8D96-E7ACAC95951F}]
    NoExplorer = 0x00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect]
    dbsq0012.whservidor.com = "-1022427127:tcp:dbsq0012.whservidor.com,1433"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
    NetworkAddress = AD BB 61 6B F3 65
    NetworkAddressLocal = 0x00000001
     

    Step3: Detect and Delete Other Trojan-Banker.Win32.Banz.fkr Files

    %Windir%\install.exe
    %Windir%\jsp110327.dll
    [file and pathname of the sample #1]
     

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•