Trojan.Tofsee.AM
MEDIUM
MEDIUM
68KB
((KAV32)Backdoor.Win32.Agent.aird;
(NOD32)Win32/Agent.NWH;
(DrWeb)Trojan.Spambot.4588;
)
Symptoms
Unrequested network activity
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Ovidiu Visoiu, virus researcher
Technical Description:
When execute the malware will perform an installation step copying itself to
%System%\[random_name].exe
%UserProfile%\[random_name2].exe
and adding this two copies to the sistem startup registry entries:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[random_name] = "%System%\[rando_name].exe \u"
[HKLM\Software\Microsoft\Windows NT\Winlogon]
Userinit = "%System%\userinit.exe, %UserProfile%\[random_name2].exe \s"
Then the %System%\[random_name].exe is launched and the initial file is deleted from disk using a .BAT file created in the %Temp% folder
The new process will modify some registry entries related to Internet security settings in order to lower these and also will add itself to Windows firewall trusted applications list:
[HKCU\Software\Microsoft\Internet Explorer\IntelliForms]
AskUser
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
WarnOnPostRedirect
WarnOnZoneCrossing
WarnOnPost
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
MinLevel
RecommendedLevel
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%System%\[random_name].exe
The malware will try to conect to some IP addresses to receive further instructions: 193.27.246.157, 212.95.32.52, 89.107.104.110, 213.155.7.242
The infected computer will be used for spam; in this sens a SMTP server and a mail generator a implemented in the malware body.
SHARE
THIS ON