Troj/Tofger-B is a multi-component Trojan which consists of a main dropper, a backdoor Trojan component and keylogging component.
The main dropper is called MSTASKS.EXE which may be downloaded and executed on the victim's computer if certain infected HTML or PHP pages are accessed (these scripts are detected as VBS/Tofger-B).
MSTASKS.EXE drops the files:
C:\<Windows>\MSTO32.DLL
C:\<Windows>\SYSTEM.EXE
C:\<Windows>\SYSINI.INI
C:\<Windows system>\SVCHOSTC.EXE
C:\<Windows system>\SVCHOSTS.EXE
and executes C:\<Windows>\SYSTEM.EXE.
MSTASKS.EXE also adds the following entry to the registry to run SYSTEM.EXE on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service
= C:\<Windows>\SYSTEM.EXE
SYSTEM.EXE runs in the background as a service process, opens port 10002 and listens for backdoor commands from a remote intruder.
MSTO32.DLL is the keylogging component of the Trojan and is invoked by SYSTEM.EXE.
SYSTEM.EXE also executes the files SVCHOSTC.EXE and SVCHOSTS.EXE which are legitmate freeware proxy HTTP and socket servers.
SYSTEM.EXE may also open a window which masquerades as the logon page for an internet bank account.
Text entered into the fake logon page and any keylogged information may be emailed to an external email address via SMTP.
The Trojan may also communicate with a remote website.
Troj/Tofger-B may attempt to download and execute EXE files from the internet.