high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 8 September 2005 21:07:17 (GMT) |
| Last updated | 14 September 2005 08:17:27 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Torpig-C is a Trojan for the Windows platform.
When Troj/Torpig-C is run some or all of the following files are created either in the folder C:\Program Files\Common Files\Microsoft Shared\Web Folders or in the folder <Windows system folder>\..\temp:
ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp
All files starting ibm are detected as Troj/Torpig-C. The file tmp.tmp is a clean data file. Troj/Torpig-C may attempt to delete files with the same name if they already exist.
The following registry entry is created to run ibm00001.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<path to ibm00001.exe>
The following registry entry may be created to run ibm00001.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<path to ibm00001.exe>"
An entry may be added to the file SYSTEM.INI in the "boot" section with a key name of "shell" to attempt to run ibm00001.exe on startup.
The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.
The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further behaviors.
Troj/Torpig-C automatically closes security warning messages displayed by common anti-virus and security related applications.
|
