Follow:

You have been re-routed to the Backdoor:Win32/Tofsee.F write up because Backdoor%3aWin32%2fTofsee.F has been renamed to Backdoor:Win32/Tofsee.F
 

Backdoor:Win32/Tofsee.F


Microsoft security software detects and removes this threat.

This backdoor trojan can give a malicious hacker access to send spam email from your PC.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Additional remediation instructions

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat copies itself to these folders using a randomly generated file name:

For example:

It deletes its original file once it's run, so you might not be able to find its file in your PC.

Tofsee makes several changes to the registry to ensure that its copies run at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random entry name>"
With data: "<system folder>\<random file name>.exe \u"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, %USERPROFILE%\<random file name>.exe \s"

Payload

Changes Internet Explorer security settings

Tofsee changes the following registry values to lower or disable Internet Explorer's security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets values:
"WarnOnZoneCrossing"
"3WarnOnPostRedirect"
"WarnonBadCertRecving"
With data: "0"

In subkey: HKCU\Software\Microsoft\Internet Explorer\IntelliForms
Sets values:
"AskUser"
"WarnOnPost"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets values:
"MinLevel"
"RecommendedLevel"
"1601"
"1803"
"1800"
"1609"
"1407"
"1406"
"1405"
"1402"
"1400"
"1201"
"1200"
"1004"
"1001"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1601"
With data: "0"

In subkey: HKCU\Software\Microsoft\Internet Explorer\InformationBar
Sets value: "FirstTime"
With data: "0"

Tofsee also adds itself as a 'trusted program' to the Windows Firewall.

Give a malicious hacker access to your PC

Tofsee's primary purpose is to act as a spam and traffic relay. It functions as an HTTP proxy, receiving commands from a hacker that let it to generate and send emails as if they came from your PC (though not necessarily your email address).

Analysis by Matt McCormack


Symptoms

The following could indicate that you have this threat on your PC:

  • Your Internet Explorer settings have changed
  • You see these entries or keys in your registry:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Userinit"
    With data: "<system folder>\userinit.exe, %USERPROFILE%\<random file name>.exe \s"


Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.185.458.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 28, 2008
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases