Backdoor:Win32/Tofsee.F

Encyclopedia entry
Updated: Aug 01, 2008 | Published: Jul 28, 2008

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.69.665.0
Released: Nov 07, 2009

Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

Summary

Backdoor:Win32/Tofsee.F is a backdoor trojan that acts as a spam and traffic relay.

Top

Symptoms

System Changes

The following system changes may indicate the presence of Backdoor:Win32/Tofsee.F:

The following registry values may be modified in order to lower or disable Internet security settings.

Under key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Values:
WarnOnZoneCrossing
WarnOnPostRedirect
WarnonBadCertRecving

Under key:
HKCU\Software\Microsoft\Internet Explorer\IntelliForms
Values:
AskUser
WarnOnPost

Under key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Values:
MinLevel
RecommendedLevel
1601
1803
1800
1609
1407
1406
1405
1402
1400
1201
1200
1004
1001

Under key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Value:
1601

Under key:
HKCU\Software\Microsoft\Internet Explorer\InformationBar
Value:
FirstTime

Top

Technical Information (Analysis)

Backdoor:Win32/Tofsee.F is a backdoor trojan that acts as a spam and traffic relay.

Installation

When executed, Tofsee.F copies itself to the following locations using a randomly generated filename:

c:\documents and settings\<username>
<system folder>

For example:

c:\documents and settings\<username>\srmrqc.exe
<system folder>\yulb.exe

It deletes its original executable using a batch file that is creates in the %temp% directory, for example:

%temp%\removeme<random 4 numbers>.bat.

Tofsee makes several modifications to the registry to ensure that its copies run at each Windows start:

Adds value: "<random entry name>"
With data: "<system folder>\<random file name>.exe \u"
To subkey:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Where <random entry name> = <random file name>

Adds value: "Userinit"
With data: "<system folder>\userinit.exe, c:\documents and settings\<username>\<random file name>.exe \s"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Payload

Modifies System Security Settings
Backdoor:Win32/Tofsee.F modifies the following registry values in order to lower or disable Internet security settings.

Under key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Values:
WarnOnZoneCrossing
WarnOnPostRedirect
WarnonBadCertRecving

Under key:
HKCU\Software\Microsoft\Internet Explorer\IntelliForms
Values:
AskUser
WarnOnPost

Under key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Values:
MinLevel
RecommendedLevel
1601
1803
1800
1609
1407
1406
1405
1402
1400
1201
1200
1004
1001

Under key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Value:
1601

Under key:
HKCU\Software\Microsoft\Internet Explorer\InformationBar
Value:
FirstTime

The malware also adds itself as a 'trusted program' to the Windows Firewall.

Backdoor Functionality

The malware's primary purpose is to act as a spam and traffic relay. It functions as an HTTP proxy, using its backdoor functionality to receive commands that may order it to generate and send e-mail.

Additional Information

Tofsee.F has been distributed as a UPX-packed executable.

Analysis by Matt McCormack

Top

Prevention

Take the following steps to help prevent infection on your system:

Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.

To turn on the Internet Connection Firewall in Windows XP

Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.

To turn on the Windows Firewall in Windows Vista

Click Start, and click Control Panel.
Click Security.
Click Turn Windows Firewall on or off.
Select On.
Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

To turn on Automatic Updates in Windows XP

Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly

Top

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Top