TROJ_BANKER.LPU
Windows 98, ME, NT, 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan may be dropped by other malware.
It modifies registry entries to enable its automatic execution at every system startup.
It displays a fake log-in page when users access certain websites to trick them into providing sensitive information such as their account names and passwords.
TECHNICAL DETAILS
1611776 bytes
Yes
17 Dec 2009
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting the following malicious websites:
It may be dropped by other malware.
Installation
This Trojan drops the following files:
- %System Root%\winsystem.exe
- %System%\chamada1728.txt
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This Trojan modifies the following registry entry(ies) to enable its automatic execution at every system startup:
Information Theft
This Trojan displays a fake log-in page when a user accesses the following websites:
Stolen Information
This Trojan
Drop Points
This Trojan
Variant Information
This Trojan has the following MD5 hashes:
SOLUTION
Step 1
Scan your computer with your Trend Micro product and note files detected as TROJ_BANKER.LPU
Step 2
Locating Malware File(s)
- Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
- In the Named input box, type:
Step 3
Delete these registry values
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.
- In HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center
- FirewallDisableNotify = 1
- UpdatesDisableNotify = 1
- AntiVirusDisableNotify = 1
- AntiVirusOverride = 1
- FirewallOverride = 1
- In HKEY_LOCAL_MACHINESOFTWAREPolicies
MicrosoftWindowsFirewallDomainProfile
EnableFirewall = 0 - In HKEY_LOCAL_MACHINESOFTWAREPolicies
MicrosoftWindowsFirewall StandardProfile
EnableFirewall = 0 - In HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
WindowsWindowsUpdate DoNotAllowXPSP2 = 1
Step 4
Scan your computer with your Trend Micro product and note files detected as TROJ_BANKER.LPU
Step 5
Delete these registry values
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.
- In HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center
- FirewallDisableNotify = 1
- UpdatesDisableNotify = 1
- AntiVirusDisableNotify = 1
- AntiVirusOverride = 1
- FirewallOverride = 1
- In HKEY_LOCAL_MACHINESOFTWAREPolicies
MicrosoftWindowsFirewallDomainProfile
EnableFirewall = 0 - In HKEY_LOCAL_MACHINESOFTWAREPolicies
MicrosoftWindowsFirewall StandardProfile
EnableFirewall = 0 - In HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
WindowsWindowsUpdate DoNotAllowXPSP2 = 1
Step 6
*NOTE: This malware is a DLL file that may come with a main component detected by Trend Micro as another malware. It may also be used by several variants of a certain malware family. If your Trend Micro product detects another malware on your system, refer to the manual removal instructions of that detected malware.
Step 7
Terminate the malware/grayware/spyware process:
Step 8
Scan your computer with your Trend Micro product to delete files detected as
*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.