My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Tofsee.AM

MEDIUM
MEDIUM
68KB
((KAV32)Backdoor.Win32.Agent.aird; (NOD32)Win32/Agent.NWH; (DrWeb)Trojan.Spambot.4588; )

Symptoms

Unrequested network activity

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

When execute the malware will perform an installation step copying itself to
%System%\[random_name].exe
%UserProfile%\[random_name2].exe
and adding this two copies to the sistem startup registry entries:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    [random_name] = "%System%\[rando_name].exe \u"
[HKLM\Software\Microsoft\Windows NT\Winlogon]
    Userinit = "%System%\userinit.exe, %UserProfile%\[random_name2].exe \s"
Then the %System%\[random_name].exe is launched and the initial file is deleted from disk using a .BAT file created in the %Temp% folder
The new process will modify some registry entries related to Internet security settings in order to lower these and also will add itself to Windows firewall trusted applications list:
[HKCU\Software\Microsoft\Internet Explorer\IntelliForms]
   AskUser
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   WarnOnPostRedirect
   WarnOnZoneCrossing
   WarnOnPost  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
   MinLevel
   RecommendedLevel
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   %System%\[random_name].exe
The malware will try to conect to some IP addresses to receive further instructions: 193.27.246.157, 212.95.32.52, 89.107.104.110, 213.155.7.242
The infected computer will be used for spam; in this sens a SMTP server and a mail generator a implemented in the malware body.