Removed: 000003B067D98636.exe, driver0001.sys, driver0002.sys, driver0003.sys (trojan Bancos)

January 20, 2011 by NightWatcher
Filed under: Malware 
: Solved!

You should Download Removal Tool here...

Malware: folha-de-pagamento.doc.www.denuncia.com.exe

Removed: C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0001.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0002.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0003.sys

—————————————————————————————————————————-
Detected by RegRun Warrior:

1. RegRun Reanimator:

Item Name: driver1
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\DRIVER0001.SYS
Type: Drivers

Item Name: driver2
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\DRIVER0002.SYS
Type: Drivers

Item Name: driver3
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\DRIVER0003.SYS
Type: Drivers

Item Name: SusClientIdId
Author: Microsoft Corporation
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\000003B067D98636.EXE
Type: Registry Run

2. Multi AntiVirus scan:

- none -

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SusClientIdId
Value: “C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.exe”

Files:
C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.cfg
C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0001.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0002.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0003.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\NOVAINFECCAO-WELL.log
C:\WINDOWS\system32\midas.dll
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16160.0 2011.01.18 Dropped:Trojan.Generic.5391852
Kaspersky 7.0.0.125 2011.01.18 Trojan-Downloader.Win32.Agent.fqyw
Microsoft 1.6402 2011.01.18 TrojanSpy:Win32/Bancos
NOD32 5797 2011.01.18 probably unknown NewHeur_PE

—————————————————————————————————————————-

MD5 99ac0c2f53b89ea55671f411c6b32937

SHA1 14c8566743bc867072b6dede05e39fa4fa237cc4

SHA256 0b3120a72e44f981c10c0c3070a1c859f63f542230e8a0574a6d10b7b00e8d9b

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:19
———————————-
HKLM\Software\Microsoft\Security Center\Svc
HKLM\Software\Microsoft\DownloadManager
HKLM\Software\Policies\Microsoft\MRT
HKLM\Software\Policies\Microsoft\Windows Defender
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\0000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\0000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\0000
HKLM\System\CurrentControlSet\Services\driver1
HKLM\System\CurrentControlSet\Services\driver1\Security
HKLM\System\CurrentControlSet\Services\driver2
HKLM\System\CurrentControlSet\Services\driver2\Security
HKLM\System\CurrentControlSet\Services\driver3
HKLM\System\CurrentControlSet\Services\driver3\Security
HKCU\Software\Microsoft\Internet Explorer\Download
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments

———————————-
Values added:60
———————————-
HKLM\Software\Microsoft\Security Center\UACDisableNotify: 0×00000001
HKLM\Software\Microsoft\Security Center\AutoUpdateDisableNotify: 0×00000001
HKLM\Software\Microsoft\Security Center\InternetSettingsDisableNotify: 0×00000001
HKLM\Software\Microsoft\Security Center\UpdatesOverride: 0×00000001
HKLM\Software\Microsoft\Security Center\Svc\UACDisableNotify: 0×00000001
HKLM\Software\Microsoft\Security Center\Svc\AntiVirusDisableNotify: 0×00000001
HKLM\Software\Microsoft\Security Center\Svc\AntiVirusOverride: 0×00000001
HKLM\Software\Microsoft\Security Center\Svc\FirewallDisableNotify: 0×00000001
HKLM\Software\Microsoft\Security Center\Svc\FirewallOverride: 0×00000001
HKLM\Software\Microsoft\Security Center\Svc\UpdatesDisableNotify: 0×00000001
HKLM\Software\Microsoft\Security Center\Svc\UpdatesOverride: 0×00000001
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0×00000000
HKLM\Software\Policies\Microsoft\MRT\DontReportInfectionInformation: 0×00000001
HKLM\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\0000\Service: “driver1″
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\0000\DeviceDesc: “b1 Service”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER1\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\0000\Service: “driver2″
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\0000\DeviceDesc: “b2 Service”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER2\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\0000\Service: “driver3″
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\0000\DeviceDesc: “b3 Service”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DRIVER3\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.exe: “C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.exe:*:Enabled:000003B067D98636″
HKLM\System\CurrentControlSet\Services\driver1\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\driver1\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\driver1\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\driver1\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\driver1\ImagePath: “\??\C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0001.sys”
HKLM\System\CurrentControlSet\Services\driver1\DisplayName: “b1 Service”
HKLM\System\CurrentControlSet\Services\driver2\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\driver2\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\driver2\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\driver2\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\driver2\ImagePath: “\??\C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0002.sys”
HKLM\System\CurrentControlSet\Services\driver2\DisplayName: “b2 Service”
HKLM\System\CurrentControlSet\Services\driver3\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\driver3\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\driver3\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\driver3\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\driver3\ImagePath: “\??\C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0003.sys”
HKLM\System\CurrentControlSet\Services\driver3\DisplayName: “b3 Service”
HKCU\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures: “no”
HKCU\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\SusClientIdId: “000003B067D98636″
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes: “.exe;.bat;.com;.cmd;”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SusClientIdId: “C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.exe”

———————————-
Values modified:4
———————————-
(-) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000001
(-) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000001

———————————-
Files added:7
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.cfg
C:\Documents and Settings\Administrator\Local Settings\Application Data\000003B067D98636.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0001.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0002.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\driver0003.sys
C:\Documents and Settings\Administrator\Local Settings\Application Data\NOVAINFECCAO-WELL.log
C:\WINDOWS\system32\midas.dll

———————————-
Total changes:90
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.