Content

W32/Tufik

Type
Virus
SubType
Win32
Discovery Date
12/06/2007
Length
various
Minimum DAT
5179 (12/06/2007)
Updated DAT
5883 (02/05/2010)
Minimum Engine
5.1.00
Description Added
12/06/2007
Description Modified
02/05/2008 10:57 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Tufik is virus which infects .exe files.

Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.

It creates the process alg.exe.

It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"

The virus infects.exe files by prepending itself.

It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.

Symptoms

-registry keys added by the virus as described above

-processes created by the virus as described above

Method of Infection

W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.

Removal

Variants

Variants

    N/A

All Information

Overview -

W32/Tufik is virus which infects .exe files. It downloads files from a malicious url.

Characteristics

Characteristics -

W32/Tufik is virus which infects .exe files.

Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.

It creates the process alg.exe.

It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"

The virus infects.exe files by prepending itself.

It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.

Symptoms

Symptoms -

-registry keys added by the virus as described above

-processes created by the virus as described above

Method of Infection

Method of Infection -

W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.

Removal -

Removal -

Variants

Variants -

    N/A