high
Summary
Summary
Action- More Information
| Protection available since | 20 July 2004 14:05:29 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Tofger-AA is a multi-component Trojan which consists of a main dropper, a backdoor and a keylogging component.
The Trojan drops the following files:
C:\<Windows>\MSRT32.DLL
C:\<Windows>\SACHOST.EXE
C:\<Windows>\SYSINI.INI
C:\<Windows system>\SACHOSTC.EXE
C:\<Windows system>\SACHOSTS.EXE
Troj/Tofger-AA adds the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Onluna Sarvice
to run SACHOST.EXE on system restart.
The Trojan also sets the registry entry:
HKLM\SOFTWARE\Microsoft\Mserv\IDwin.
SACHOST.EXE runs in the background as a service process, sends registration information to a remote website and logs keystrokes to the file sysini.ini.
Troj/Tofger-AA has backdoor functionality that allows a malicious user remote control over an infected computer. The Trojan opens several TCP ports and listens for backdoor commands.
Troj/Tofger-AA also attempts to download and execute updates from the internet.
MSRT32.DLL is the keylogging component of the Trojan and is invoked by SACHOST.EXE.
SACHOSTS.EXE and SACHOSTC.EXE are detected as Troj/Daemoni-D.
SYSINI.INI is benign text file that is used to record captured keystrokes and other information. The Trojan mail the content of this file to a remote address at regular intervals.
|
