Remove Trojan.Bankpatch.D

Posted on: April 14th, 2009


Discovered: April 12, 2009
Updated:

April 12, 2009 10:50:33 AM
Type:

Trojan
Systems Affected:

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Recommended Action:

In order to remove Remove Trojan.Bankpatch.D you need to Download
the ‘No Adware’ remover software. Based on our testing this was the

best peforming remover of Trojan.Bankpatch.D..

You will see the download link on their website, once installed it will perform
a full system scan on your machine for free.
Technical Details:

When the Trojan is executed, it copies itself as the following files:

* %System%\pwrcode.dat
* %System%\wincode.dat
* %System%\krncode.dat

Next, it creates the following files:

* %System%\sysk.tmp (Copy of kernel32.dll)
* %System%\sysp.tmp (Copy of powrprof.dll)
* %System%\sysw.tmp (Copy of wininet.dll)
* %System%\osysk.dat (Copy of kernel32.dll)
* %System%\osysp.dat (Copy of powrprof.dll)
* %System%\osysw.dat (Copy of wininet.dll)

The Trojan then injects code into the following files:

* %System%\kernel32.dll
* %System%\powrprof.dll
* %System%\wininet.dll

Note:The modified files are detected as Trojan.Bankpatch.C!inf and may

increase in size by 4kb.

It also creates the following files:

* %System%\nsysk.ini (Trojan.Bankpatch.C!inf)
* %System%\nsysp.ini (Trojan.Bankpatch.C!inf)
* %System%\nsysw.ini (Trojan.Bankpatch.C!inf)

The Trojan injects different code in to each infected .dll file.

Next, the Trojan modifies the following Windows APIs for %System%
\kernel32.dll:

* CreateFileW
* CreateProcessInternalW

The Trojan modifies the following Windows APIs for %System%\
wininet.dll:

* HttpSendrequestA
* HttpSendRequestW
* InternetConnectA
* InternetCrackUrlA
* InternetOpenA
* InternetOpenW

It also modifies the following Windows APIs for %System%\powrprof.dll:

* SetSuspendState
* GetActivePwrScheme

The threat creates the following file, that contains an encrypted version of
the Trojan executable:
%System%\ldshyf1.old

Next, it creates the following registry entries in order to save its configuration:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\prh\"prh" = "[http://]asmmnation.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\"prd" = "[http://]asmmnation.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\"USF" = "06\00SO"

It may also create the following registry subkeys in order to save configuration
data:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\InternetSettings\new
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\tst
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\w8

The Trojan attempts to run the following command in order to uninstall JAVA
on the computer:
cmd.exe /c javasw -uninstall

It attempts to restart the computer after a certain period of time in order to
become active in memory.

When the the computer restarts, the threat monitors the browser for certain
banking-related URLs.

It then gathers the information and sends it to the following remote Web server:
[http://]asmmnation.com

The Trojan then attempts to retrieve and verify the home page of google.com
in order to verify network connectivity.

It then sends the following request to the remote server:
http://asmmnation.com/index.php?id=[COUNTRY]_[UID_LETTERS]&check
=[CMD]&version=[TROJAN VERSION NUMBER]

The Trojan attempts to steal cookie files that contain the following strings in
their file names:

* 2o7
* 53[
* action.mathtag
* adbrite
* advanta
* advertising
* al.netminers
* amagerbanken
* andelskassen
* apmebf
* atdmt
* banken
* bankofamerica
* basisbank
* bridgetrack
* casalemedia
* chase
* citi.
* citibank
* coremetrics
* danskebank
* diba[THREE RANDOM CHARACTERS].txt
* discovercard
* djs
* djs-netbank
* doubleclick
* e-finance
* ebh-bank
* fastclick
* fih[
* fioniabank
* forbank
* froes
* fsb.netminers
* handelsbanken
* himmerland
* hitbox
* homebanking
* huntington
* hvidbjergbank
* ic-live
* ingdirect
* instadia
* interclick
* juniper
* key
* langspar
* lillespar
* liveperson
* lokalbanken
* lokalsparekassen
* lollandsbank
* lpk[THREE RANDOM CHARACTERS].txt
* lsb.netminers
* lsb[THREE RANDOM CHARACTERS].txt
* maxbank
* maxbank
* middelfartsparekasse
* midspar
* midtfjord
* moensbank
* morsbank
* morsoesparekasse
* nationalcity
* nationalcitycardservicesonline
* nationalirishbank
* navyfcu
* nykredit
* pensam
* peoples
* pnc[
* portalbank
* prod.bec
* realmedia
* regions
* revsci
* riba[THREE RANDOM CHARACTERS].txt
* ringkjoebing-bank
* roiservice
* roskildebank
* ru4
* sallingbank
* sbbank
* sparbank
* sparekassen
* sparekassenfaaborg
* sparekassenthy
* sparfar
* sparhobro
* sparhvetbo
* sparkron
* sparlolland
* sparnebel
* sparnord
* sparoj
* sparostjyl
* sparsalling
* sparskals
* statistik-gallup
* totalbanken
* track.adform
* trafficmp
* tribalfusion
* usbank
* vestjyskbank
* vinderupbank
* vorbank
* wachovia
* wamu
* websteronline
* webtrendslive
* wellsfargo
* www.al-bank
* yieldmanager
* zedo

It then stores the gathered cookie files in the following location:
%System%\cock dir

The threat creates the following folder in order to store configuration files from
remote server and gathered information from the compromised computer:
%System%\xmldm

It also attempts to log keystrokes and store them in the following location:
%System%\xmldm dir

The Trojan searches for the following browser plugins when Internet Explorer
starts:

* JAVA
* e-Safekey
* EBJSecurity_3

It creates the following registry subkeys in order to download more components
on to the computer:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\task\[DIGITS]\GUID
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\task\[DIGITS]\FROM
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Internet Settings\task\[DIGITS]\UPD

It downloads the following files and registers them as Browser Helper Objects
(BHO):

* %System%\[RANDOM CHARACTERS].dll
* %System%\[RANDOM CHARACTERS].txt

It may also download the following file, which is an update of the Trojan:
%System%\lodupgd.jpg

The Trojan may decrypt the original %System%\ldshyf1.old file in order to
prevent the Trojan from being deleted.

It may then run the file from the following location:
%Temp%

.
Action Steps:
FREE SCAN: NoAdware can remove Trojan.Bankpatch.D. Click the
link below for your free download & scan your PC now.

MANUAL REMOVAL: Please click here for manual removal instructions.

Posted on Tuesday, April 14th, 2009 at 5:01 pm - filed under Blog, Trojan.