Sophos

Troj/Turgen-A

Aliases
  • Trojan-PSW.Win32.Turgen.b
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 29 June 2005 12:57:12 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32Host Process
<System>\webemir.exe

and delete it if it exists.

Close the registry editor.

More Information

Troj/Turgen-A is a password stealing Trojan which attempts to steal confidential information and send it to a remote location via email.

Troj/Turgen-A includes functionality to:

- silently download, install and run new software
- send stolen information to remote locations

Troj/Turgen-A harvests confidential information including user names, passwords and account information from email accounts and information from the following applications:

MSN Messenger
Windows Messenger
Yahoo Messenger (Versions 5.x and 6.x)
ICQ Lite 4.x/2003
AOL Instant Messenger
AOL Instant Messenger/Netscape 7
Trillian
Miranda
GAIM

Troj/Turgen-A also steals the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer. The passwords are revealed by reading the information from the Protected Storage.

When first run Troj/Turgen-A moves itself to <System>\webemir.exe.

Troj/Turgen-A may also create the following files:

psvx.exe
msnx.exe
netx.exe
malx.exe
psvx.txt
msnx.txt
netx.txt
malx.txt
system.txt

These files may be found in either the <current folder>, <Temp>, <Windows> or <System> folders. These files are non-malicious and are to be deleted.

The following registry entry is created to run webemir.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32Host Process
<System>\webemir.exe

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer