W32.Debanpass
W32.Debanpass is a worm that can steal sensitive information and send the gathered data to a remote attacker. W32.Debanpass will create a copy of itself on removable media devices and configure itself to automatically run when Windows is started. The worm is specifically designed to steal banking details on the compromised machine.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Technical Details and Additional Information:
What can W32.Debanpass do to infected computer?
- Create an autorun.inf file to run the worm when the drive is accessed.
- Monitors Internet Explorer and searches for presence of predefined strings.
- The worm will log data entered on to web forms particularly banking details.
Malicious Files Added by W32.Debanpass
%System%\crase.exe
%System%\winebay.exe
%System%\url.tmp
%System%\dde.st
C:\tmpsss.log
C:\(random).tmp
%DriveLetter%\autorun.inf
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”Userinit” = “%System%\userinit.exe,,crase.exe”
W32.Debanpass – Removal
Removing W32.Debanpass Manually:
1. If using Windows ME or XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore]
2. Update the virus definitions.
3. Reboot Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Anti-virus Tools
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Online Virus Scanner:
Another way to remove a virus from a system without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate security software provider.