free trojan horse virus removal tool Spyware Removal: September 2008

Trojan-Downloader.Win32.Banload.dcd

Wednesday, September 24, 2008

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 113152 bytes in size. It is not packed in any way. This Trojan is written in Visual Basic.

Installation

Once launched, the Trojan copies its body to the Windows program files directory as "lsass.exe":

%Program Files%\Microsoft Studio Files\lsass.exe

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

The Trojan then creates a command interpreter file called "vcdg.bat" in the same directory:

%Program Files%\Microsoft Studio Files\vcdg.bat

It writes the following strings to this file:

netsh.exe firewall add allowedprogram PROGRAM="%Program Files%\Microsoft Studio

Files\lsass.exe" NAME="Session Win32" MODE=ENABLE PROFILE=ALL

In doing so, the Trojan modifies the configuration of the Windows XP firewall, permitting any network activity created by the malicious process.

"%Program Files%\Microsoft Studio Files\vcdg.bat" is then launched for execution.

Payload

Once installed, the Trojan downloads files from the following URLs:

http://www.club-vw.cl/*****/modules/subsmanager/api_apache.tar

http://www.*****-consult.net/rcss.res

http://www.photo-*****.ru/images/exhibition_moll2005_file0031.jpg

At the time of writing, these links were not active.

http://www.cemm*****ac.at/img/nav/plus19a_RO.jpg

This file is 2603325 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Banbra.bak.

Files which are downloaded are saved to the Trojan's installation directory under random names and launched for execution.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.

Delete the following system registry key parameter:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

Delete the following directory and its contents:

%Program Files%\Microsoft Studio Files

Delete all files from %Temporary Internet Files%.

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

posted by Mandy, 3:19 PM | link | 0 comments |

Free virus removal tools

Is your PC slow? I will help you clean your PC Spyware Trojan Horse and Virus infections for FREE. This website is to help you fix spyware issues removal spyware which has infected your computer. Download free spyware adware and free virus scan programs. Free Spyware Virus Remover Tools Clean your PC Spyware Free

Virus Archives

November 2007 December 2007 January 2008 February 2008 March 2008 July 2008 August 2008 September 2008 May 2009 October 2009 November 2009 December 2009 January 2010 February 2010

RSS Feeds

Syndicate Feed Blog entries

Remote Control rc planes rc Helicopters

Latest virus alert

Virus & Spyware Removal Internet Explorer CVE-2010-0249 'srcElement()' Rem... Backdoor.Tidserv.K virus Trojan horse how to remov... how to remove W32/Conficker.worm.gen.d virus how to remove Worm.Win32.Netsky virus spyware How to Remove the Backdoor.Tidserv!inf virus spywa... How to remove Adware virus Zwunzi How to Remove the W32.Badtrans.13312@mm Worm Virus... How to remove w32.virut.cf Virus How to remove w32 ircbot.worm

Softe World