Home / malware

PDF

PWS:Win32/Torug.A

First posted on 20 September 2010.
Source: SecurityHome

Aliases :

There are no other names known for PWS:Win32/Torug.A.

Explanation :

PWS:Win32/Torug.A is a trojan that monitors certain web browsers and processes in an attempt to steal sensitive data such as logon credentials.
Top

PWS:Win32/Torug.A is a trojan that monitors certain web browsers and processes in an attempt to steal sensitive data such as logon credentials. Installation PWS:Win32/Torug.A is installed by TrojanDropper:Win32/Torug.A as the following file:

%temp%\spoolsv.dll

It is executed by Trojan:Win32/Torug.A. When it executes, it copies itself from %temp% to <system folder>. Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. PWS:Win32/Torug.A may also creates copies of itself using random names into %temp%.PayloadSteals sensitive dataPWS:Win32/Torug.A monitors the following processes and attempts to capture transactions such as account logins: avant.exechrome.exeeudora.exefirefox.exeiexplore.exemozilla.exemsimn.exeMyIE.exenetscp.exeopera.exeoutlook.exepostman2.exeSkype.exethebat.exethunderbird.exe It may store captured data in the following files:

%temp%\recen32.dll

%temp%\dwtmp1.tmp

It may then send its gathered data via HTTP to a remote server. Downloads and executes arbitrary filesPWS:Win32/Torug.A may download and execute arbitrary files, which may be detected as other malware, in the computer.

Analysis by Marian Radu

Last update 20 September 2010

 

TOP