McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Tofger.A (Panda)

• TrojanSpy.Win32.Tofger (AVP)

Characteristics

--Update 19 Nov 2003 --

A new variant of the trojan was spammed.  The dropper is detection as Multidropper-GP .  The trojan is copied to %WinDir%\system.exe, where %WinDir% is the Windows directory.  The following registry key is created:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Online Service" = %WinDir%\system.exe

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via SMTP mail.  It has keylogging, backdoor functionalities.

There are two variants of this trojan reported. The description is a general guide.  Newer variants require latest DATs for detection and cleanning.

The trojan might arrive in a dropper file.  When the dropper file is run, it copies the main trojan and its dependent dll to the local machine and launch the main trojan.  The trojan requires file msin32.dll to run, which is a keylogger dll.

When run, the trojan creates the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mserv

It registers itself as a service process using the RegisterServiceProcess API. It creates a hidden window running in the background.

It deletes links in Internet Explorer Favorites folder, sets Internet Explorer start page to certain website.  It deletes all entries in the URL cache.

It launches the leylogger dll and creates the following log file:

• %SysDir%/sysini.ini

Where %SysDir% is the Windows system directory.

It opens port 10002 on local system and listens for remote commands.  It can perform the following backdoor activities:

• Send system information out, such as ip, file and process names.
• Download and launch file.
• Delete files.

It monitors windows with certain title to become active.  The title text includes the following:

• St.George Internet Banking Logon Page
• Westpac Internet Banking

It stores the information entered in the log file. 

It sends the log file to certain email address using its own SMTP engine.

Symptoms

Existence of files and registry keys mentioned above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Tofger.A (Panda)

• TrojanSpy.Win32.Tofger (AVP)

Characteristics

Characteristics -

--Update 19 Nov 2003 --

A new variant of the trojan was spammed.  The dropper is detection as Multidropper-GP .  The trojan is copied to %WinDir%\system.exe, where %WinDir% is the Windows directory.  The following registry key is created:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Online Service" = %WinDir%\system.exe

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via SMTP mail.  It has keylogging, backdoor functionalities.

There are two variants of this trojan reported. The description is a general guide.  Newer variants require latest DATs for detection and cleanning.

The trojan might arrive in a dropper file.  When the dropper file is run, it copies the main trojan and its dependent dll to the local machine and launch the main trojan.  The trojan requires file msin32.dll to run, which is a keylogger dll.

When run, the trojan creates the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mserv

It registers itself as a service process using the RegisterServiceProcess API. It creates a hidden window running in the background.

It deletes links in Internet Explorer Favorites folder, sets Internet Explorer start page to certain website.  It deletes all entries in the URL cache.

It launches the leylogger dll and creates the following log file:

• %SysDir%/sysini.ini

Where %SysDir% is the Windows system directory.

It opens port 10002 on local system and listens for remote commands.  It can perform the following backdoor activities:

• Send system information out, such as ip, file and process names.
• Download and launch file.
• Delete files.

It monitors windows with certain title to become active.  The title text includes the following:

• St.George Internet Banking Logon Page
• Westpac Internet Banking

It stores the information entered in the log file. 

It sends the log file to certain email address using its own SMTP engine.

Symptoms

Symptoms -

Existence of files and registry keys mentioned above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A