W32/Tofger!tr
Analysis
- Trojan is 32bit with a file size of 13,824 bytes
- Trojan may be introduced to the system from a malicious
web page
- If Trojan is run, it will copy itself to the undefinedWindowsundefined
folder as "system.exe"
- The Trojan then modifies the registry to auto run
at next Windows startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Online Service" = C:\WINNT\system.exe
-
Next, the Trojan will write two additional files into the undefinedWindowsundefined folder -
msin32.dll (3,072 bytes)
sysini.ini (42 bytes)
-
The file MSIN32.DLL assists in keyboard logging for the Trojan - key strokes are monitored and recorded, and if the infected system accesses the Internet, the saved key log data is sent to a preconfigured web address
-
The Trojan contacts the web address xakoz.com and sends data using a server side script
-
Trojan contains the text "***Computer was successfully infected***" in its code
-
Trojan also contains the string "TGFR SDRE" which is how the Trojan received its name - a phonetic rearrangement of TGFR to TFGR, or Tofger
Recommended Action
- Block access to the web address xakoz.com
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |