Printer-friendly versionSend to friendPDF version

Virus/Trojan Summary

Name: Generic.dx!zi!1958aa4e01e3 (McAfee), Trojan-Downloader.Win32.Banload [Ikarus]

Type: Trojan virus

 

Infection Method: Email

User received email from his friend or colleague with various subject (e.g. Fotos Data: 17/06) with then content similar to below:

Imagens anexadas: DSC_252.jpg DSC_326.jpg DSC_417.jpg

User clicked and open the Hyperlink because they thought it just a photo from his/her friend.

Note: Please do not click on the jpg link above because it lead you to the actual trojan location

User just ignore the warning prompt:

 

User clicked on “Run”

 

Windows shown below with “Arquivo Corrompido!” mean you are infected by trojan.

 

 

Background Process after Infection:

 

You would notice the processes below in task manager:

• winntR1.exe

• winntR2.exe

• winnt2.exe

• winnt3.exe

• winnt4.exe

• winnt5.exe

• winnt.6.exe

 

 

Network Activity after Infection:

 

The infected system will try spread out by sending smtp and http mail as shown below:

200.226.249.3:80

201.76.62.3:25

 

According to the user experience, the Trojan/Virus will try to spead out by sending email using user's hotmail account with the contact list in user's hotmail.

 

Registry Modification

The following Registry Key was created:

• HKEY_CURRENT_USER\dark

• The newly created Registry Value in either location below is:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    • winntR1 = "C:\winnt_\winntR1.exe"

    • winntR2 = "C:\winnt_\winntR2.exe"

    • winnt2 = "C:\winnt_\winnt2.exe"

    • winnt3 = "C:\winnt_\winnt3.exe"

    • winnt4 = "C:\winnt_\winnt4.exe"

    • winnt5 = "C:\winnt_\winnt5.exe"

    • winnt6 = "C:\winnt_\winnt6.exe"

 

 

File System Modifications:

 

The following directory was created:

c:\winnt_

 

 

Removal Method:

 

Note: The trojan might affected to the particular user only

1. Login as the user name that infected by the Trojan

2. Kill (End Task) all the process start with winnt*.exe in task manager

3. Empty Internet Temporary files.

4. Delete all the winnt* entries in the registry key below: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

5. Delete HKEY_CURRENT_USER\dark in the registry

6. Restart the computer

7. Login in as administrator

8. Delete “c:\winnt_” folder

9. Download and run the removal tool from http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe (This tools only able to remove certain infected files only. That’s the reason we have to do some manual clean up before running this tool.)

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by Brain-Cluster.org.
Please contact us should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Average: Select ratingPoorOkayGoodGreatAwesome

Your rating: None Average: 5 (1 vote)