F-Secure
Tools
Trojan-Spy:W32/Trojan-Spy
| Name : | Trojan-Spy:W32/Trojan-Spy |
| Category: | Malware |
| Type: | Trojan-Spy |
| Platform: | W32 |
Summary
This type of trojan secretly installs spy programs and/or keylogger programs.
Disinfection
Security Advisory
Various spying and data stealing trojans compromise system security by providing authentication information (logins and passwords, credit card numbers, etc.) to hackers. So it is very important to change all logins and passwords after cleaning a computer from these trojans. Also, if your credit card number has been stolen or your on-line bank account info has been compromised, it is recommended to contact your credit card company or on-line bank for help.
Please note that stealing credit card or online bank information information is a serious abuse, so you might want to contact the local cybercrime authorities for investigation. In this case do not perform any disinfection actions on your computer before it is inspected by the authorities.
Automatic Disinfection
Starting from F-Secure Anti-Virus (FSAV) version 5.40, standalone malware (backdoors, worms, trojans, etc.) is automatically removed. FSAV automatically renames malware files to prevent them from being executed.
In rare cases, automatic disinfection is not possible and the user must instruct FSAV to perform disinfection (renaming and/or deleting the infected file).
In special cases, the user is recommended to perform disinfection using specific tools provided by F-Secure. The tools can be downloaded from:
- ftp://ftp.f-secure.com/anti-virus/tools/
- http://www.f-secure.com/download-purchase/tools.shtml
In some cases F-Secure Anti-Virus may not automatically disinfect a system. If so, please visit our Support pages at:
- http://support.f-secure.com/enu/home/virusproblem/howtoclean/
Windows System Restore Issues
If the computer is running on the Windows ME or XP operating systems, disabling the System Restore feature before disinfection is recommended. This is to avoid possible re-infection by a threat that has just been disinfected, as the System Restore feature may have unknowingly saved a copy of the infected file during its normal procedures. If the System Restore feature is active, it may then copy the infected file back to the hard drive after the user or an antivirus program has renamed or deleted it.
Instructions on how to disable the System Restore feature are here:
- Windows ME: http://www.f-secure.com/v-descs/sfc_dis.shtml
- Windows XP: http://www.f-secure.com/v-descs/sfc_dis1.shtml
Once disinfection is complete, re-enabling the System Restore feature is recommended. This will allow the user to restore the system to a stable configuration in the event that a crash or incompatibility issue occurs in the future.
F-Secure Anti-Virus
F-Secure Anti-Virus can be purchased from our online web store or from authorized distributors. A 30-day limited trial verson of F-Secure Anti-Virus may be downloaded from our website:
- http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can automatically download the latest signature database updates. These updates can also be manually downloaded and installed from our web or ftp sites:
- http://www.f-secure.com/download-purchase/updates.shtml
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer technician or send a message (and a sample) to our Response Lab. We have guidelines for sending virus samples, hoaxes and virus-related questions to F-Secure Response Lab published here:
- http://support.f-secure.com/enu/home/virusproblem/sample/
Various spying and data stealing trojans compromise system security by providing authentication information (logins and passwords, credit card numbers, etc.) to hackers. So it is very important to change all logins and passwords after cleaning a computer from these trojans. Also, if your credit card number has been stolen or your on-line bank account info has been compromised, it is recommended to contact your credit card company or on-line bank for help.
Please note that stealing credit card or online bank information information is a serious abuse, so you might want to contact the local cybercrime authorities for investigation. In this case do not perform any disinfection actions on your computer before it is inspected by the authorities.
Automatic Disinfection
Starting from F-Secure Anti-Virus (FSAV) version 5.40, standalone malware (backdoors, worms, trojans, etc.) is automatically removed. FSAV automatically renames malware files to prevent them from being executed.
In rare cases, automatic disinfection is not possible and the user must instruct FSAV to perform disinfection (renaming and/or deleting the infected file).
In special cases, the user is recommended to perform disinfection using specific tools provided by F-Secure. The tools can be downloaded from:
- ftp://ftp.f-secure.com/anti-virus/tools/
- http://www.f-secure.com/download-purchase/tools.shtml
In some cases F-Secure Anti-Virus may not automatically disinfect a system. If so, please visit our Support pages at:
- http://support.f-secure.com/enu/home/virusproblem/howtoclean/
Windows System Restore Issues
If the computer is running on the Windows ME or XP operating systems, disabling the System Restore feature before disinfection is recommended. This is to avoid possible re-infection by a threat that has just been disinfected, as the System Restore feature may have unknowingly saved a copy of the infected file during its normal procedures. If the System Restore feature is active, it may then copy the infected file back to the hard drive after the user or an antivirus program has renamed or deleted it.
Instructions on how to disable the System Restore feature are here:
- Windows ME: http://www.f-secure.com/v-descs/sfc_dis.shtml
- Windows XP: http://www.f-secure.com/v-descs/sfc_dis1.shtml
Once disinfection is complete, re-enabling the System Restore feature is recommended. This will allow the user to restore the system to a stable configuration in the event that a crash or incompatibility issue occurs in the future.
F-Secure Anti-Virus
F-Secure Anti-Virus can be purchased from our online web store or from authorized distributors. A 30-day limited trial verson of F-Secure Anti-Virus may be downloaded from our website:
- http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can automatically download the latest signature database updates. These updates can also be manually downloaded and installed from our web or ftp sites:
- http://www.f-secure.com/download-purchase/updates.shtml
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer technician or send a message (and a sample) to our Response Lab. We have guidelines for sending virus samples, hoaxes and virus-related questions to F-Secure Response Lab published here:
- http://support.f-secure.com/enu/home/virusproblem/sample/
Additional Details
This is the Trojan-Spy General Information page.
A Trojan-Spy has a wide range of capabilities, including performing keylogging, monitoring processes on the computer and stealing data from files saved on the machine.
To perform its keystroke monitoring routine, a Trojan-Spy will usually drop a keylogging component. Such components stays active in Windows memory and starts keylogging (recording keystrokes) when a user is asked to input a log-in and a password. Stolen log-ins and passwords can allow an attacker to read a user's e-mail on public and corporate mail servers, as well as giving access to more sensitive material, such as online banking accounts.
A Trojan-Spy may also perform more general monitoring: keeping the list of applications that a user ran, archiving URLs that a user opened and so on. In some cases, the Trojan-Spy's monitoring routine is restricted to a certain time window. For example, it may work only until a certain date and then uninstall themselves from a system.
A Trojan-Spy designed to steal data will searches for specific files or data on an infected computer, which can be forwarded to, or retrieved by, the attacker. The type of information sought varies: some trojans try to locate 'key' files that contain authentication information for certain programs or services; others steal the serial numbers of software installed on an infected system. A few e-mail worms steal random data files (Excel or Word files, images) and attach them to e-mails that they send from infected systems.
A Trojan-Spy has a wide range of capabilities, including performing keylogging, monitoring processes on the computer and stealing data from files saved on the machine.
To perform its keystroke monitoring routine, a Trojan-Spy will usually drop a keylogging component. Such components stays active in Windows memory and starts keylogging (recording keystrokes) when a user is asked to input a log-in and a password. Stolen log-ins and passwords can allow an attacker to read a user's e-mail on public and corporate mail servers, as well as giving access to more sensitive material, such as online banking accounts.
A Trojan-Spy may also perform more general monitoring: keeping the list of applications that a user ran, archiving URLs that a user opened and so on. In some cases, the Trojan-Spy's monitoring routine is restricted to a certain time window. For example, it may work only until a certain date and then uninstall themselves from a system.
A Trojan-Spy designed to steal data will searches for specific files or data on an infected computer, which can be forwarded to, or retrieved by, the attacker. The type of information sought varies: some trojans try to locate 'key' files that contain authentication information for certain programs or services; others steal the serial numbers of software installed on an infected system. A few e-mail worms steal random data files (Excel or Word files, images) and attach them to e-mails that they send from infected systems.