high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2004 (3.86) |
| Protection available since | 27 August 2004 08:07:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Default System Research = <WINDOWS>\vhchost.exe
and delete it if it exists.
Close the registry editor.
Change any passwords that may have become compromised.
More Information
Troj/Tofger-BG is a Spyware Trojan that runs continuously in the background logging key presses and taking screen shots when a user accesses certain internet banking sites.
When first run, Troj/Tofger-BG drops the file VCHOST.EXE into the Windows folder. This file is also detected as Troj/Tofger-BG.
In order to run automatically each time Windows is started, the Trojan sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Default System Research = <WINDOWS>\vhchost.exe
Troj/Tofger-BG will then run in the background monitoring the user's internet browsing. The Trojan will search URL strings for the following internet banking related strings:
e-gold
bank
hsbc
halifax
barclays
openplan
lloyds
abbey
cahoot
nationwide
nwolb
natwest
nationet
woolwich
If the URL contains these strings, Troj/Tofger-BG will will log key presses and take screen shots of the desktop. The information is stored as files in a folder named USERT, which will be found in the Windows System folder.
Periodically, Troj/Tofger-BG will package the files in the USERT folder and send the packed RAR file to a remote location.
Troj/Tofger-BG also drops the files SCRNR32.DLL and WINRR.EXE into the Windows system folder.
SCRNR32.DLL is used by the Trojan to log key presses and send the stolen information out. This file is also detected as Troj/Tofger-BG.
WINRR.EXE is used by the Trojan to create RAR files and is not malicious.
|
