TSPY_BANKER.QDL
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
9,856 bytes
EXE
No
27 Sep 2011
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
NOTES:
This spyware attempts to delete the following component files of GbPlugin, a program used by Brazilian banks to protect customers in performing Internet banking transactions:
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpsv.exe
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbiehcef.dll
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbieh.gmd
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\cef.gpc
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbieh.dll
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpdist.dll
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\bb.gpc
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpkm.sys
- \Device\HarddiskVolume1\WINDOWS\system32\scpsssh2.dll
- \Device\HarddiskVolume1\WINDOWS\system32\drivers\gbpkm.sys
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\scpsssh2.inf
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\abn.gpc
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\erma.inf
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\gbieh.gmd
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\gbiehabn.dll
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\gbiehuni.dll
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\GbPluginABN.inf
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\GbPluginuni.inf
- \Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\uni.gpc
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbiehuni.dll
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\uni.gpc
- \Device\HarddiskVolume1\Arquivos de programas\Scpad\scpIBCfg.bin
- \Device\HarddiskVolume1\Arquivos de programas\Scpad\scpMIB.dll
- \Device\HarddiskVolume1\Arquivos de programas\Scpad\scpsssh2.dll
- \Device\HarddiskVolume1\Arquivos de programas\Scpad\sshib.dll
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbiehscd.dll
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpdist.dll
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\scd.gpc
- \Device\HarddiskVolume1\Arquivos de programas\GbPlugin\GbpSv.exe
Note: \Device\HarddiskVolume1\ is the default Windows installation volume, which is usually C:\
SOLUTION
9.200
8.458.15
27 Sep 2011
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Scan your computer with your Trend Micro product to delete files detected as TSPY_BANKER.QDL. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 3
Restore these deleted files from backup
*Note: Only Microsoft-related keys/values will be restored. If this malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
Did this description help? Tell us how we did.