Threat behavior
Virus:Win32/Tufik.gen is a generic detection for variants of the Win32/Tufik file infecting virus family. This virus searches for and infects files having the extension .EXE across all drives.
Installation
When an infected file is executed, the virus first injects a thread into the Windows process 'WINLOGON.EXE' to stop and kill the sfc watcher thread ('SFC_OS.DLL'). The sfc watcher thread is a component of Windows File Protection (WFP) and is responsible for notifying Windows (e.g. the user) when a system file becomes compromised, modified or deleted. After disabling WFP, the virus can infect system files without alerting the user.
Spreads Via…
File Infection
Running or opening infected files activates the virus so that it infects .EXE files. If the virus is running from the Windows Explorer process, the virus will create two threads - one that attempts to download files and another that infects files. The file infection thread will enumerate drives and try to infect .EXE files in any drive that is not of drive type "UNKNOWN", "NO_ROOT" or "CDROM". The infection is in an appended PE section named '.adata'.
If the current process is not running from 'EXPLORER.EXE', the virus copies the Windows executable (located in '%windir%\explorer.exe') as 'c:\explorer.exe' and then infects 'c:\explorer.exe'. The virus moves the now infected 'EXPLORER.EXE' to the Windows folder on reboot and moves the original (and non infected) 'EXPLORER.EXE' to the %TEMP% folder as a file named '@<random>.tmp'.
Payload
Downloads Files
This virus may attempt to download files from one of the following domains:
tufei503.51.net
tufei503.home4u.china.com
From this address it obtains a URL that it uses to receive commands.
Allows Remote Access
Virus:Win32/Tufik.gen contains a predefined remote address - the virus attempts to connect back to it on port 8081. Once connected, the virus can respond to instructions from a remote attacker and take actions such as the following:
Cleanup (closes connection)
Infect (infects files greater than 4,096 bytes and less than 14,680,064 bytes)
Get file information
Shell execute
Delete file
Move file
Copy file
Create directory
Upload file by ftp
Download file by ftp
Analysis by Dan Kurc
Prevention
