Trojan.Tofsee.AM( (KAV32)Backdoor.Win32.Agent.aird; (NOD32)Win32/Agent.NWH; (DrWeb)Trojan.Spambot.4588; )
SYMPTOMS: Unrequested network activityTECHNICAL DESCRIPTION: When execute the malware will perform an installation step copying itself to%System%\[random_name].exe %UserProfile%\[random_name2].exe and adding this two copies to the sistem startup registry entries: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [random_name] = "%System%\[rando_name].exe \u" [HKLM\Software\Microsoft\Windows NT\Winlogon] Userinit = "%System%\userinit.exe, %UserProfile%\[random_name2].exe \s" Then the %System%\[random_name].exe is launched and the initial file is deleted from disk using a .BAT file created in the %Temp% folder The new process will modify some registry entries related to Internet security settings in order to lower these and also will add itself to Windows firewall trusted applications list: [HKCU\Software\Microsoft\Internet Explorer\IntelliForms] AskUser [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings] WarnOnPostRedirect WarnOnZoneCrossing WarnOnPost [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 MinLevel RecommendedLevel [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] %System%\[random_name].exe The malware will try to conect to some IP addresses to receive further instructions: 193.27.246.157, 212.95.32.52, 89.107.104.110, 213.155.7.242 The infected computer will be used for spam; in this sens a SMTP server and a mail generator a implemented in the malware body. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Ovidiu Visoiu, virus researcher |
