Threat behavior
Trojan:Win32/Tosy.A is a trojan that may collect sensitive information, such as logon credentials, Web form input data, and cookie data in Internet Explorer.
Installation
Trojan:Win32/Tosy.A is usually present in the computer as:
<system folder>\comspol32.ocx
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Collects user information
Trojan:Win32/Tosy.A may collect logon credentials, Web form input data, and session cookies data from within Internet Explorer. It does these activities by injecting code into IE.
It may monitor traffic between the computer and the Web site, when the site address contains the following strings:
- .hotmail.
- gawab.com
- gmail.com
- live.com
- mail.
- maktoob.com
- rocketmail.com
- yahoo.co
- ymail.com
Avoids detection
Trojan:Win32/Tosy.A may try to avoid being detected by interfering with the following security processes:
acs.exe
almon.exe
alsvc.exe
alupdate.exe
antihook.exe
app_firewall.exe
asr.exe
authfw.exe
avgamsvr.exe
avgcc.exe
avgemc.exe
avgfwsrv.exe
avginet.exe
avgrssvc.exe
avgupsvc.exe
avp.exe
avpm.exe
blink.exe
blinkrm.exe
blinksvc.exe
bootsafe.exe
cclaw.exe
cdas17.exe
cdinstx.exe
clamd.exe
cmdagent.exe
configmgr.exe
cpf.exe
dcsuserprot.exe
df5serv.exe
df5serverservice.exe
dfadmin6.exe
dfservex.exe
dfw.exe
dvpapi.exe
eeyeevnt.exe
elogsvc.exe
emlproui.exe
emlproxy.exe
fameh32.exe
fch32.exe
firewall 2004.exe
fpavserver.exe
fprottray.exe
frzstate.exe
frzstate2k.exe
fsaua.exe
fsav32.exe
fsbwsys.exe
fsdfwd.exe
fsgk32.exe
fsgk32st.exe
fsguidll.exe
fsguiexe.exe
fsm32.exe
fsma32.exe
fsmb32.exe
fspc.exe
fspex.exe
fsqh.exe
fsrt.exe
fssm32.exe
fw.exe
fwsrv.exe
fxsrv.exe
gateway.exe
icmon.exe
ike.exe
ipatrol.exe
ipcsvc.exe
ipctray.exe
jpf.exe
jpfsrv.exe
kav.exe
kavmm.exe
kpf4gui.exe
kpf4ss.exe
licwiz.exe
live help.exe
lpfw.exe
mpsvc.exe
netguard lite.exe
netmon.exe
nip.exe
njeeves.exe
nstzerospywarelite.exe
nvcoas.exe
nvcsched.exe
nvoy.exe
oeinject.exe
omnitray.exe
onlinent.exe
onlnsvc.exe
op_mon.exe
pcipprev.exe
pf6.exe
pfsvc.exe
pgaccount.exe
procguard.exe
pxagent.exe
pxconsole.exe
r-firewall.exe
rdtask.exe
rtt_crc_service.exe
sab_wab.exe
savadminservice.exe
savservice.exe
scanwscs.exe
smc.exe
sp_rsser.exe
spfirewallsvc.exe
sppfw.exe
spyhunter3.exe
spywareterminator.exe
spywareterminatorshield.exe
ssupdate.exe
superantispyware.exe
swnetsup.exe
swupdate.exe
sww.exe
tikl.exe
tinykl.exe
tray.exe
tsansrf.exe
tsatisy.exe
tscutynt.exe
tsmpnt.exe
umxagent.exe
umxcfg.exe
umxfwhlp.exe
umxlu.exe
umxpol.exe
umxtray.exe
updclient.exe
vcatch.exe
vdtask.exe
vsdesktop.exe
vsmon.exe
wsweepnt.exe
wwasher.exe
xauth_service.exe
xfilter.exe
zanda.exe
zerospyware le.exe
zerospyware lite.exe
zerospyware lite_installer.exe
zlclient.exe
zlh.exe
Analysis by Marian Radu
Prevention
