Trojan.Banksun
Trojan.Banksun is a mischievous backdoor Trojan that will give unauthorized access to a remote attacker to get control of the corrupted computer. Trojan.Banksun will also steal confidential data such as user name and password by recording user's keystrokes and web browsers activities. Trojan.Banksun can be installed by careless users when using Internet or can be installed by other malware inections. Trojan.Banksun can create registry entries to the infected computer so that it executes whenever Windows starts. Trojan.Banksun is a misleading threat, and it can block the scanning of anti-virus software. Trojan.Banksun has to be removed immediately to make your computer clean and protected.
File System Modifications
- The following files were created in the system:
# File Name 1 %UserProfile%\Application Data\Sun\[random].dll 2 %UserProfile%\Application Data\Sun\cetw.txt 3 %UserProfile%\Application Data\Sun\cngrh.txt 4 %UserProfile%\Application Data\Sun\crff.txt 5 %UserProfile%\Application Data\Sun\ffefx.txt 6 %UserProfile%\Application Data\Sun\kwbn45.dll 7 %UserProfile%\Application Data\Sun\kwbn45_shrd 8 %UserProfile%\Application Data\Sun\lfmt.txt 9 %UserProfile%\Application Data\Sun\mogr.txt 10 %UserProfile%\Application Data\Sun\slbrmo 11 %UserProfile%\Application Data\Sun\vwvn.txt 12 %UserProfile%\Application Data\Sun\xkelf.txt 13 %UserProfile%\Application Data\Sun\zxvd32.dll 14 %UserProfile%\Application Data\Sun\zxvd32_shrd
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\GDI\"D1" = "66706525"HKEY_CURRENT_USER\Software\Microsoft\GDI\"D2" = "66706526"HKEY_CURRENT_USER\Software\Microsoft\GDI\"D3" = "66706527"HKEY_CURRENT_USER\Software\Microsoft\GDI\"pr" = "6362613a77737a707b3a7b73603a7770787f7a7e77"HKEY_CURRENT_USER\Software\Microsoft\GDI\0\"mmmk" = "[EIGHT DIGIT NUMBER]_[SIX DIGIT NUMBER]_[FIVE DIGIT NUMBER]"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"NoProtectedModeBanner" = "1"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"TabProcGrowth" = "0"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"Enabled" = "0"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"EnabledV8" = "0"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"ShownVerifyBalloon" = "3"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\"DisableFixSecuritySettings" = "1"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\"DisableSecuritySettingsCheck" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"2500" = "3"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"2500" = "3"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" = "3"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"2500" = "3"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"lpc" = "rundll32.exe \"%UserProfile%\Application Data\Sun\[THREAT FILE NAME]", RegisterDll"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{117BCF0D-7850-4DF8-A943-410E0426F18D}\"(Default)" = "GDI Manager"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{117BCF0D-7850-4DF8-A943-410E0426F18D}\"IsInstalled" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{117BCF0D-7850-4DF8-A943-410E0426F18D}\"Locale" = "EN"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{117BCF0D-7850-4DF8-A943-410E0426F18D}\"StubPath" = "rundll32.exe \"%UserProfile%\Application Data\Sun\[THREAT FILE NAME]\", UnregisterDll"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{117BCF0D-7850-4DF8-A943-410E0426F18D}\"Version" = "4,3,6,3"
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.