Win32/Tofsee [Threat Name] go to Threat

Win32/Tofsee.AX [Threat Variant Name]

Category trojan
Size 154112 B
Aliases Trojan-Dropper.Win32.Dorifel.aatx (Kaspersky)
  Backdoor:Win32/Tofsee.F (Microsoft)
Short description

Win32/Tofsee.AX is a trojan that is used for spam distribution. The file is run-time compressed using ASPack .


When executed, the trojan copies itself into the following location:

  • %profile%\­%variable%.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSConfig" = "%profile%\­%variable%.exe"

The trojan runs the following process:

  • svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.

After the installation is complete, the trojan deletes the original executable file.

Other information

Win32/Tofsee.AX is a trojan that is used for spam distribution.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (9) URLs. The HTTP, SMTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send spam

The trojan checks for Internet connectivity by trying to connect to the following servers:


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­DeviceControl\­DevData]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­DeviceControl\­DevData]

The trojan may create the following files:

  • %windir%\­Temp:temp
  • %profile%\­Application Data\­desktop.ini:init
  • %profile%\­Local Settings\­Application Data\­Microsoft\­Windows\­UsrClass.dat.tmp

Please enable Javascript to ensure correct displaying of this content and refresh this page.