Information on Trojan Spy.Win32.Banker.bai

Discussion in 'NOD32 version 2 Forum' started by thermalben, Jul 26, 2006.

Thread Status:
Not open for further replies.
  1. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    Is there a patch for the Trojan Spy.Win32.Banker.bai (also known as Troj/Banker-BWO). I'm running NOD32 2.5 with all of the latest updates (and several spyware prevention programs) but this one seems to have got through the hoops.

    More info on this Trojan here.
     
  2. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    If you see NOD32 don't detect a malware, please send it to samples at eset.com in a RAR or ZIP package with infected as password.
    Guys will take a look at the file and if needed, they'll add it to database.

     
  3. ASpace

    ASpace Guest

    Or to make absolutely sure it is infected or not false-positive , submit it to VirusTotal
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    This would be an alternate solution but anyway first submitt it to sample [at] nod32.com
    On virustotal.com some AV scanners can also give FPs or to detect corrupted files as viruses
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Pls can u upload it to Jotti or Virus total.
     
  6. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    How do I find the file? (so that I can send it)
    I've only come across it using Zone Alarm's free spyware scan.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Where does ZoneAlarm say the file is located?

    Cheers :D
     
  8. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    It was Zone Alarm's online spyware detector, so it didn't reveal that information (only showing a link to a paid product that would remove the Trojan). Is it possible to do a system scan for the Trojan? If so, what search string would I use?
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please check your settings against those found in the following Nod32 Tutorial HERE

    Then run a scan by clicking on the NOD32 Control Centre> NOD32> Run NOD32> Scan and Clean.

    Let us know how you go...

    Cheers :D
     
  10. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    Blackspear - that's a very well laid out Tutorial - well done.

    Unfortunately, although I changed all settings as per the tutorial, NOD32 is still not picking up anything.

    Additionally, the small problems fixed by Spybot last night have re-appeared (such as modifying the following registry entries: "AntiVirusDisableNotify = "1", "UpdatesDisableNotify" = "1", "FirewallOverride" = "1", "FirewallDisableNotify" = 1).

    Therefore, the Worm/Trojan/Malware responsible for this infection is still present.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you.

    Could you please download and run “Hijack This” found HERE and post your log.

    Cheers :D
     
  12. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    Logfile of HijackThis v1.99.1
    Scan saved at 6:20:34 PM, on 27/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Media Components\Encoder\wmenc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\User\My Documents\Downloads\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126767517687
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147436599781
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37940.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: svshosts - Unknown owner - C:\WINDOWS\Tencent
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
    O23 - Service: Windows Management Driver (wmidrv) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
     
  13. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    I have a feeling that it's the current running process:
    C:\WINDOWS\system32\services.exe
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The log appears to be ok.
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    They say in the Windows folder. Not in the Windows\system32 folder. It does not mean that if there's malware named svchost.exe (very common) you would have to delete a crucial system file in the windows\system32 folder.
     
  16. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    from this website:

    "There are viruses and trojans that use the same name as services.exe. In most cases, the bogus services.exe might be present in your Windows folder, and added to the RUN keys so that the Malware loads at every startup."
     
  17. thermalben

    thermalben Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    8
    Ah yes, you're right Marcos - 'tis late here - lucky I wasn't in a deleting mood!
     
  18. ASpace

    ASpace Guest

    From the log I see something that poses a security hole .
    The Sun Java RE you use is outdated !!! Your version is 1.5.0_06 and the latest is version 1.5.0_07
    Since old versions of this software are vulnerable and are being exploited ,your computer is at risk of being infected with Smithfraud trojans/spyware if you don't update

    Update instructions:
    1) Remove the current versions from Control Panel-> Add/Remove programs
    2) Manually delete the folder Java in C:\Program files
    3) Download and install the latest version form www.java.com -> Download section
     
  19. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Ummmm, what is this?
    I personally think that the Java version is OK. It is only a couple of months old. The ones that were really suspectible to viruses were older versions than that.
     
Thread Status:
Not open for further replies.