• Trojan is 32bit with a file size of 13,824 bytes
  • Trojan may be introduced to the system from a malicious web page
  • If Trojan is run, it will copy itself to the undefinedWindowsundefined folder as "system.exe"
  • The Trojan then modifies the registry to auto run at next Windows startup as in this example -

    "Online Service" = C:\WINNT\system.exe

  • Next, the Trojan will write two additional files into the undefinedWindowsundefined folder -

    msin32.dll (3,072 bytes)
    sysini.ini (42 bytes)

  • The file MSIN32.DLL assists in keyboard logging for the Trojan - key strokes are monitored and recorded, and if the infected system accesses the Internet, the saved key log data is sent to a preconfigured web address

  • The Trojan contacts the web address and sends data using a server side script

  • Trojan contains the text "***Computer was successfully infected***" in its code

  • Trojan also contains the string "TGFR SDRE" which is how the Trojan received its name - a phonetic rearrangement of TGFR to TFGR, or Tofger

Recommended Action

  • Block access to the web address