Trojan.Bansap

Printer Friendly Page

Discovered: February 12, 2004
Updated: February 12, 2004 8:33:48 PM
Systems Affected: Windows

Trojan.Bansap is a trojan that overwrites all writeable files with copies of itself.

Discovered: February 12, 2004
Updated: February 12, 2004 8:33:48 PM
Systems Affected: Windows

Trojan.Bansap is a trojan that overwrites files on the current drive. When it is executed, it creates the following copies of itself in the parent folder of %Temp%:
Win.bat
Wwin32.com

It then begins overwriting all writeable files on the current drive with copies of itself. These files use the icon of Microsoft Word documents and will have multiple file extensions. It will continue to overwrite files until the local drive is full.

It then adds the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winkernel32 = <path to wWin32.com>

It also creates the following registry entries, possibly as infection markers:
HKEY_LOCAL_MACHINE\Software\WinSystem32\SerialKeys = FL7S5-L3LDK-D9GS0-D846DD9H7S

HKEY_LOCAL_MACHINE\AAA-Registry Test

The trojan also overwrites all .lnk files with copies of itself. These copies will also use the Microsoft Word document icon.

Next, it may open Internet Explorer to the following URL:
http:/ /cc.1asphost.com/coder386/getS.asp?cName=<computer name>

The following message boxes may also be displayed:
Sorry your computer has damage by a virus test, you can email me at virus_programmer_ph386@yahoo.com
Note: Your computer has been used for a virus experiment.

This virus is subject for improvement. Any comments, suggestions and etc Please contact me!. ENJOY YOUR COMPUTER WITH THIS VIRUS.

Finally, the trojan may set the user's Internet Explorer home page to:
www.coder3862004.cjb.net