Information on Trojan Spy.Win32.Banker.bai

Is there a patch for the Trojan Spy.Win32.Banker.bai (also known as Troj/Banker-BWO). I'm running NOD32 2.5 with all of the latest updates (and several spyware prevention programs) but this one seems to have got through the hoops.

More info on this Trojan here.

 

If you see NOD32 don't detect a malware, please send it to samples at eset.com in a RAR or ZIP package with infected as password.
Guys will take a look at the file and if needed, they'll add it to database.

 

Or to make absolutely sure it is infected or not false-positive , submit it to VirusTotal

 

This would be an alternate solution but anyway first submitt it to sample [at] nod32.com
On virustotal.com some AV scanners can also give FPs or to detect corrupted files as viruses

 

Pls can u upload it to Jotti or Virus total.

 

How do I find the file? (so that I can send it)
I've only come across it using Zone Alarm's free spyware scan.

 

Where does ZoneAlarm say the file is located?

Cheers

 

It was Zone Alarm's online spyware detector, so it didn't reveal that information (only showing a link to a paid product that would remove the Trojan). Is it possible to do a system scan for the Trojan? If so, what search string would I use?

 

Please check your settings against those found in the following Nod32 Tutorial HERE

Then run a scan by clicking on the NOD32 Control Centre> NOD32> Run NOD32> Scan and Clean.

Let us know how you go...

Cheers

 

Blackspear - that's a very well laid out Tutorial - well done.

Unfortunately, although I changed all settings as per the tutorial, NOD32 is still not picking up anything.

Additionally, the small problems fixed by Spybot last night have re-appeared (such as modifying the following registry entries: "AntiVirusDisableNotify = "1", "UpdatesDisableNotify" = "1", "FirewallOverride" = "1", "FirewallDisableNotify" = 1).

Therefore, the Worm/Trojan/Malware responsible for this infection is still present.

 

Thank you.

Could you please download and run “Hijack This” found HERE and post your log.

Cheers

 

Logfile of HijackThis v1.99.1
Scan saved at 6:20:34 PM, on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Components\Encoder\wmenc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\My Documents\Downloads\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126767517687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147436599781
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37940.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: svshosts - Unknown owner - C:\WINDOWS\Tencent
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Windows Management Driver (wmidrv) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

 

I have a feeling that it's the current running process:
C:\WINDOWS\system32\services.exe

 

The log appears to be ok.

 

They say in the Windows folder. Not in the Windows\system32 folder. It does not mean that if there's malware named svchost.exe (very common) you would have to delete a crucial system file in the windows\system32 folder.

 

from this website:

"There are viruses and trojans that use the same name as services.exe. In most cases, the bogus services.exe might be present in your Windows folder, and added to the RUN keys so that the Malware loads at every startup."

 

Ah yes, you're right Marcos - 'tis late here - lucky I wasn't in a deleting mood!

 

From the log I see something that poses a security hole .
The Sun Java RE you use is outdated !!! Your version is 1.5.0_06 and the latest is version 1.5.0_07
Since old versions of this software are vulnerable and are being exploited ,your computer is at risk of being infected with Smithfraud trojans/spyware if you don't update

Update instructions:
1) Remove the current versions from Control Panel-> Add/Remove programs
2) Manually delete the folder Java in C:\Program files
3) Download and install the latest version form www.java.com -> Download section

 

Ummmm, what is this?

I personally think that the Java version is OK. It is only a couple of months old. The ones that were really suspectible to viruses were older versions than that.