Win32/Tophos [Threat Name] go to Threat

Win32/Tophos.H [Threat Variant Name]

Category worm
Size 1276929 B
Aliases Trojan-Downloader.Win32.Delf.bekp (Kaspersky)
  Trojan:Win32/Havnit.A (Microsoft)
  Trojan.ADH (Symantec)
Short description

Win32/Tophos.H is a worm that spreads via shared folders and removable media.

Installation

When executed, the worm copies itself into the following location:

  • %startup%\­search.cmd

This causes the worm to be executed on every system start.

Spreading

The worm copies itself into the root folders of the following drives B:\, C:\, D:\, E:\, F:\, G:\, H:\, J:\, I:\, K:\, L:\, M:\, N:\, O:\, P:\, R:\, S:\, T:\ using the following name:

  • Photo.scr
Spreading via shared folders

The worm tries to copy itself into shared folders of machines on a local network.


The following filename is used:

  • Photo.scr
Other information

The worm opens the following URLs in Internet Explorer :

  • http://www.cadretest.ru/get.php?search=%variable%

When the user enters certain keywords into the browser, the worm opens certain URLs related to them.


The following keywords are monitored:

  • тест
  • псhихо
  • одноклас
  • контакте
  • фильм
  • ваканс
  • работа
  • работу
  • диет
  • худе
  • порн
  • секс
  • рецепт
  • недвиж
  • автомоб
  • волос
  • отдых
  • отел
  • знакомс
  • игр
  • причес
  • стрижк
  • парикм
  • объяв
  • гороск
  • зодиак
  • открытк
  • поздрав

A string with variable content is used instead of %variable% .


The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (3) URLs. The HTTP protocol is used.


The worm may attempt to download files from the Internet.


These are stored in the following locations:

  • %appdata%\­temp.cmd

The files are then executed.


The worm may execute the following commands:

  • %comspec% /c del %malwarefilename% >> NUL

The worm quits immediately if it detects a window containing one of the following strings in its title:

  • диспетчер задач

The worm terminates any program that creates a window containing any of the following strings in its name:

  • set network location
  • насройка сетевого размещения

Please enable Javascript to ensure correct displaying of this content and refresh this page.