Win32/Tofsee [Threat Name] go to Threat

Win32/Tofsee.AX [Threat Variant Name]

Category trojan
Size 154112 B
Detection created Feb 27, 2013
Detection database version 8975
Aliases Trojan-Dropper.Win32.Dorifel.aatx (Kaspersky)
  Backdoor:Win32/Tofsee.F (Microsoft)
Short description

Win32/Tofsee.AX is a trojan that is used for spam distribution. The file is run-time compressed using ASPack .

Installation

When executed, the trojan copies itself into the following location:

  • %profile%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSConfig" = "%profile%\­%variable%.exe"

The trojan runs the following process:

  • svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.


After the installation is complete, the trojan deletes the original executable file.

Other information

Win32/Tofsee.AX is a trojan that is used for spam distribution.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (9) URLs. The HTTP, SMTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send spam

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • google.com
  • mail.ru
  • microsoft.com
  • yahoo.com

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­DeviceControl\­DevData]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­DeviceControl\­DevData]

The trojan may create the following files:

  • %windir%\­Temp:temp
  • %profile%\­Application Data\­desktop.ini:init
  • %profile%\­Local Settings\­Application Data\­Microsoft\­Windows\­UsrClass.dat.tmp

Please enable Javascript to ensure correct displaying of this content and refresh this page.