Sophos

Troj/Torpig-AV

Aliases
  • Trojan-PSW.Win32.Sinowal.p
  • PWS-JA
  • trojan
  • Win32/PSW.Sinowal.D
  • trojan
  • TSPY_SINOWAL.AU
  • Win32/Spy.Small.DG
  • trojan
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 26 May 2006 12:59:53 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

Troj/Torpig-AV is a Trojan for the Windows platform.

When Troj/Torpig-AV is run some or all of the following files are created either in the folder "C:\Program Files\Common Files\Microsoft Shared\Web Folders" or in the folder <System>\..\temp:

ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp

All files starting ibm are executables in the Torpig family of Trojans. tmp.tmp is a clean data file. Troj/Torpig-AV may attempt to delete files with the same name if they already exist.

Registry entries may be set at the following locations to run ibm00001.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

An entry may be added to the file SYSTEM.INI in the "boot" section to attempt to run ibm00001.exe on startup.

The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.

The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further actions.

Troj/Torpig-AV automatically closes security warning messages displayed by common anti-virus and security-related applications.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer