Backdoor:W32/Tofsee may be found being offered on websites, or dropped on the user's machine as part of the payload of another malware. Tofsee's executable file is distributed with a Flash Player icon, as a decoy to lure the unsuspecting user into clicking it and launching the malware.
When Tofsee is executed, it first creates a copy of itself in the following location:
And creates the following registry key to make sure this copy is executed each time the computer is started up:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MSConfig" = "%USERPROFILE%random_generated_strings.exe"
Next, the malware creates and runs a new thread in the 'svchost.exe' process and adds itself as a 'trusted program' to the Windows Firewall. Finally, it deletes the original executable file to cover its own tracks.
Once Tofsee has added itself as a trusted program, it can safely communicate with a remote Command and Control (C&C) server to obtain additional instructions, as well as download several plug-ins or modules that it loads into memory. These allow the malware to:
- Create spam emails and send them through an SMTP server via a HTTP proxy
- Send spam in Facebook, Skype and Twitter (in postings, tweets, etc)
- Participate in a Distributed Denial of Service (DDoS) attack
- Mine for virtual currency such as Litecoin
And so on, as per directions received from the C&C server.