TrojanSpy.Win32.Tofger
Details
TrojanSpy.Win32.Tofger.s
This Trojan is written in Assembler; the main component is approximately 17KB in size.
Once launched, the Trojan searches for all text files on disks c, d and e, and saves the names of these files and paths to them for subsequent use.
Once it has finished doing this, it causes a window with the header Symantec Team Antivirus Tools to be displayed.
Installation
When installing, the Trojan saves its main component svchost.exe to the Windows system directory and registers this file in the system registry. This ensures that the file will be run each time the system is rebooted.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service]
The Trojan also creates two additional files in the Windows directory:
sysini.ini - a file containing information harvested from the victim machine
msto32.dll - a key logger program
Payload
The Trojan downloads updates to itself from the following addresses:
http://161.58.226.xx/unity/Updates/1.exe
http://161.58.226.xx/unity/Updates/2.exe
http://161.58.226.xx/unity/Updates/3.exe
It then copies them to the Windows system directory under the name surte.exe and launches them. It harvests a variety of information from the victim computer, including key strokes and the contents of the clipboard, and periodically sends them to the author of the program.
Related Posts