Threat behavior
TrojanSpy:Win32/Turkahn.A is a trojan that logs keyboard and mouse activities, and may send the captured data to an attacker. Win32/Turkahn.A may also attempt to download other malware from a remote Web server.
Installation
This trojan may be installed into the following file folder:
%ProgramFiles%\Turkojan
This trojan may be present in this location in the form of a DLL and an executable. File names vary across iterations of the trojan. When executed, the trojan may inject its code into running processes EXPLORER.EXE, IEXPLORE.EXE and Windows Messenger. The trojan may also create log files as KB8888113.log or KB8888239.log.
Payload
Logs Keystrokes
This trojan may hook the current running thread, and capture all the affected user's mouse and keyboard activities to a log file in the Windows folder. Win32/Turkahn.A may attempt to send the log file to an attacker.
Downloads and Executes Arbitrary Files
Win32/Turkahn.A may attempt to download other configuration data files, or executable files from a predefined remote server.
Analysis by Brett Harris
Prevention
