Early Google hit is for the info below from Sophos. Of course, other trojans may use that filename.
Google has no hits for the other trojan you mention. I suggest you ask the AV company who gave it
that name.
Don't do any internet banking! Change your online banking passwords. Check the account status.
W32/Nanpy-A is a worm for the Windows platform. It may spread to vulnerable computers via the
RPC-DCOM exploit, and attempt to redirect access to various banking websites.
When first run W32/Nanpy-A copies itself to <System>\mmsvc32.exe.
The following registry entry is created to run mmsvc32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Network Services Controller
<System>\mmsvc32.exe
W32/Nanpy-A modifies the HOSTS file, mapping the URLs of banking websites to a remote IP. At the
time of writing, this IP address is not functional.
lloydstsb.co.uk
online.lloydstsb.co.uk
www.lloydstsb.co.uk
www.lloydstsb.com
personal.barclays.co.uk
barclays.co.uk
ibank.barclays.co.uk
www.barclays.co.uk
www.nwolb.com
nwolb.com
hsbc.co.uk
www.hsbc.co.uk
abbey.com
www.abbey.com
www.abbey.co.uk
abbey.co.uk
cahoot.com
www.cahoot.com
www.cahoot.co.uk
cahoot.co.uk
www.co-operativebank.co.uk
co-operativebank.co.uk
www.co-operativebank.com
co-operativebank.com
welcome2.co-operativebankonline.co.uk
welcome6.co-operativebankonline.co.uk
welcome8.co-operativebankonline.co.uk
welcome10.co-operativebankonline.co.uk
www.smile.co.uk
smile.co.uk
