Win32/Tofsee [Threat Name] go to Threat

Win32/Tofsee.AF [Threat Variant Name]

Category trojan
Size 73728 B
Detection created Feb 28, 2011
Detection database version 5915
Aliases Trojan-Dropper.Win32.Vidro.fjz (Kaspersky)
  Trojan:Win32/Sisron (Microsoft)
  BKDR_CETORP.AA (TrendMicro)
Short description

Win32/Tofsee.AF is a trojan that installs Win32/Agent.OBA trojan malware. The trojan can be used for sending spam. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %system%\­secupdat.dat (45568 B, Win32/Agent.OBA)
  • %userprofile%\­secupdat.dat (45568 B, Win32/Agent.OBA)
  • %userprofile%\­%variable%.exe (45568 B, Win32/Agent.OBA)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSConfig" = "%userprofile%\­%variable%.exe"

A string with variable content is used instead of %variable% .


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (8) URLs. The HTTPS protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send spam

The trojan creates the following files:

  • %temp%\­%variable%.bat

The trojan may create the following files:

  • %windir%\­Temp:temp
  • %appdata%\­desktop.ini:init
  • %temp%\­wincookie.dat
  • %system%\­%variable%.exe
  • %system%\­%variable%.dat
  • %system%\­drivers\­%variable%.sys
  • %userprofile%\­%variable%.exe
  • %userprofile%\­%variable%.dat
  • %userprofile%\­Local Settings\­Application Data\­Microsoft\­Windows\­UsrClass.dat.tmp

A string with variable content is used instead of %variable% .


The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%existingrecord%"

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­DeviceControl]
    • "DevData" = "%data%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­DeviceControl]
    • "DevData" = "%data%"

Please enable Javascript to ensure correct displaying of this content and refresh this page.