high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | November 2005 (3.99) |
| Protection available since | 16 September 2005 21:45:45 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Torpig-D is a Trojan for the Windows platform.
When Troj/TorpigD is run some or all of the following files are created either in the folder C:\Program Files\Common Files\Microsoft Shared\Web Folders or in the folder <System>\..\temp:
ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp
The file ibm00000.exe is detected is Troj/Torpig-C. The file tmp.tmp is a clean data file. All other files are detected as Troj/Torpig-D.
The following registry entry is created to run ibm00001.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<path to ibm00001.exe>
The following registry entry may be created to run ibm00001.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<path to ibm00001.exe>"
An entry may be added to the file SYSTEM.INI in the "boot" section with a key name of "shell" to attempt to run ibm00001.exe on startup.
The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.
The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further behaviors.
Troj/Torpig-D automatically closes security warning messages displayed by common anti-virus and security related applications.
|
