Trickbot Virus Removal Guide

Trickbot Virus is a banking Trojan similar to Dyre (also known as Dyreza), and its primary objective is to infect vulnerable computers and steal banking information when you enter your banking website. However, it only works with banking websites based in Australia, but regardless where you are or what bank you use, you should remove this malicious application as soon as possible. In this article, we will talk about how this program works, how it is distributed, and how you can remove it manually as well as using a third-party application. This piece of malware is undoubtedly dangerous as it can help cyber criminals steal your money.

According to our research, Godzilla Loader is used to download and install Trickbot Virus from http://185.14.29{.}13/api.php. The login for the Command and Control (C&C) server is shown at the URL admin.php. Our research has also uncovered that this Trojan is distributed via email spam that is disguised as emails, to compel users to open them and, subsequently, their attachment. The fake subject line of the email is “You have received a new fax, ” and it has a .scr attachment that may look like fax198-203-9153.scr. If you open this file attachment, it downloads Godzilla Loader which, in turn, downloads Trickbot Virus’s main executable file and its additional files.

It was concluded that Trickbot Virus has some striking similarities with Dyre that include using a similar loader. However, Dyre was written in C, while this new Trojan was written in C++. Furthermore, Dyre used SHA256 or AES routines while this new malware makes use of Microsoft CryptoAPU. Lastly, Dyre used running commands while Trickbot Virus utilizes Task Scheduler. Dyre’s creators were arrested in 2015 by Russian law enforcement for their illicit online activities and are now serving their prison sentences. However, due to the similarities between Dyre and Trickbot Virus, it is possible that at least one of the developers of Dyre worked on this new Trojan as well.

Our analysis has shown that once this Trojan has infected a computer, it will copy itself to %APPDATA% and delete the original sample. The name of the main executable may be different between each case, but when we tested it the executable as named trick.exe. Nevertheless, this executable is accompanied by files named client_id and group_tag. These two files are generated locally — not downloaded from the C&C server. client_id consists of the name attached to the machine, the operating system version, and a randomly generated string. group_tag features text “tmt2”. Once these files are in place, this Trojan will download config.conf and store it in encrypted form. Furthermore, it will download a folder named Modules that features modules named injectDll32 and systeminfo32. Once everything is in place, this Trojan is set to go to work.

We found that it is designed to connect to a legitimate server called myexternalip.com to fetch the IP address. Most of the communications with its C&C server, however, are SSL encrypted. The C&C is set up on hacked wireless routers, and this setup was also previously used in Dyre. Once everything is in place, this Trojan will wait till you visit Australia-based online banking websites such as ibanking.stgeorge.com.au, ib.nab.com.au, banking.westpac.com.au, anz.com or cibconline.cibc.com and. Trickbot Virus uses webinjects to collect information from the aforementioned bank websites, and this information can include logins, passwords and all other information that can help its creators to steal your money. This Trojan is also known to steal credentials for Salesforce accounts.

In closing, Trickbot Virus is one malicious piece of software, and if it happens to infect your computer, then it can steal your banking credentials and then your money. However, if your computer has already been infected with this malware, then you have to remove it as soon as possible. If you want to delete its files manually, please use the instructions below, but if you run into trouble or you cannot get rid of it manually for whatever reason, we suggest using SpyHunter as it will make light work of it.

Removal

1. Hold down Win+E.
2. File Explorer’s address box, type C:\Users\{User name}\AppData\Roaming and hit Enter.
3. Locate 6a7577ce0970dcbacd2009d632ce10ef3ceea784cd92f8bc9f2829bb2601a57a.exe
4. Right-click it and click Delete.
5. Type %WINDIR%\System32\config\systemprofile\AppData\Roaming and hit Enter.
6. Locate trick.exe, client_id, config.conf, and group_tag
7. Right-click them and click Delete.
8. Go to C:\Windows\System32\Tasks
9. Locate the filename Bot and delete it.
10. Then, go to C:\Windows\System32\config\systemprofile\AppData\Roaming
11. Locate the Modules folder and delete it.
12. Empty the Recycle Bin.