Virus

W32/Tofger!tr

Analysis

  • Trojan is 32bit with a file size of 13,824 bytes
  • Trojan may be introduced to the system from a malicious web page
  • If Trojan is run, it will copy itself to the undefinedWindowsundefined folder as "system.exe"
  • The Trojan then modifies the registry to auto run at next Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "Online Service" = C:\WINNT\system.exe

  • Next, the Trojan will write two additional files into the undefinedWindowsundefined folder -

    msin32.dll (3,072 bytes)
    sysini.ini (42 bytes)

  • The file MSIN32.DLL assists in keyboard logging for the Trojan - key strokes are monitored and recorded, and if the infected system accesses the Internet, the saved key log data is sent to a preconfigured web address

  • The Trojan contacts the web address xakoz.com and sends data using a server side script

  • Trojan contains the text "***Computer was successfully infected***" in its code

  • Trojan also contains the string "TGFR SDRE" which is how the Trojan received its name - a phonetic rearrangement of TGFR to TFGR, or Tofger

Recommended Action

  • Block access to the web address xakoz.com