Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Troj/Tofger-R

Mar 17, 2004 12:54AM PST

Aliases
TrojanSpy.Win32.Tofger.y, Trojan.Etsur

Type
Trojan

Description
Troj/Tofger-R is a password stealing Trojan.
The Trojan logs keystrokes and confidential information and then attempts to email this data to a remote location.

When the installation executable is run, the files svchost.exe, inites.ini and wmsro32.dll are dropped to the Windows folder and svchost.exe is run.

The following registry entry is created, so that svchost.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Startup
= <WINDOWS>\svchost.exe

Wmsro32.dll is a simple keylogger DLL and inites.ini is a harmless text file.

The Trojan periodically attempts to download an executable from a remote location to the System folder as surte.exe and then run it.

http://www.sophos.com/virusinfo/analyses/trojtofgerr.html

Discussion is locked