1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Trojan Bankpatch.D Activity

HTTP Trojan Bankpatch.D Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Bankpatch.C requesting information from its controlling server.

Additional Information

Trojan.Bankpatch is a Trojan horse that modifies system DLL files and attempts to steal information from the compromised computer.

When executed, the Trojan creates the following files:
%Temp%\conlf.ini(Bankpatch.C)
%System%\pwrcode.dat(Bankpatch.D)

It then creates copies of kernel.dll,powrprof.dll and wininet.dll

Next, the Trojan infects the following files with copies of itself:

* %System%\kernel32.dll
* %System%\powrprof.dll
* %System%\wininet.dll
* %System%\dllcache\kernel32.dll
* %System%\dllcache\powrprof.dll
* %System%\dllcache\wininet.dll


Note: The modified files are detected as Trojan.Bankpatch.C!Inf.

It also creates the following files:

* %System%\ldshyr.old
* %System%\nwklr.ini (Detected as Trojan.Bankpatch.C!Inf)
* %System%\nwpp.ini (Detected as Trojan.Bankpatch.C!Inf)
* %System%\nwwlnt.ini (Detected as Trojan.Bankpatch.C!Inf)


It also creates the following registry entry:
Bankpatch.C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\"lwh" = "[http://]ffcsanta.com"
Bankpatch.D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\"prd" = "[http://]asmmnation.com"


It then gathers information about the Web browsing activities on the compromised computer and stores this information within files in the above folder.

The Trojan restarts the compromised computer 24 hours after the original infection.

Following the restart, the Trojan examines every URL accessed by the compromised computer.

The Trojan sends URLs that appear on a predefined list to a remote network address where they may be collected by a remote attacker.

The Trojan may attempt to block access to certain Web sites.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Extract and restore Windows files.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube