Home / malware

PDF

Trojan.Tofsee.AM

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Tofsee.AM is also known as (KAV32.

Explanation :

When execute the malware will perform an installation step copying itself to
%System%[random_name].exe
%UserProfile%[random_name2].exe
and adding this two copies to the sistem startup registry entries:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[random_name] = "%System%[rando_name].exe u"
[HKLMSoftwareMicrosoftWindows NTWinlogon]
Userinit = "%System%userinit.exe, %UserProfile%[random_name2].exe s"
Then the %System%[random_name].exe is launched and the initial file is deleted from disk using a .BAT file created in the %Temp% folder
The new process will modify some registry entries related to Internet security settings in order to lower these and also will add itself to Windows firewall trusted applications list:
[HKCUSoftwareMicrosoftInternet ExplorerIntelliForms]
AskUser
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
WarnOnPostRedirect
WarnOnZoneCrossing
WarnOnPost
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones2
MinLevel
RecommendedLevel
[HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
%System%[random_name].exe
The malware will try to conect to some IP addresses to receive further instructions: 193.27.246.157, 212.95.32.52, 89.107.104.110, 213.155.7.242
The infected computer will be used for spam; in this sens a SMTP server and a mail generator a implemented in the malware body.

Last update 21 November 2011

 

TOP