Just like its sibling in the Conficker family, it restricts access to AV websites and kills removal tools

While both Yahoo!® Messenger and MSN Messenger have been massively exploited by IM worms, Skype users have been less exposed to this type of e-threat. It is true that hyperlink-sending worms are hardly news in the current malware landscape, and multiple variants affecting various IM services are in the wild, but most of them are extremely easy to remove and don’t come with an additional method of protection. Unlike average IM worms, Backdoor.Tofsee features an extensive set of tricks to deter detection and removal, as well as a wide assortment of ways to harm both the user and their computer.

The worm relies on social engineering to lure the user into downloading and executing a copy of itself on the local machine. It looks for the system locale settings (country, language and currency) in order to determine which language to send its messages in. It can use English, Spanish, Italian, Dutch, German, and French to send itself to either Skype™ or Yahoo!® Messenger contacts. The alleged conversations will always be different from the previous messages and will be constantly updated from a remote location.

Plus, in order to avoid suspicion, the worm will only send the message during an on-going conversation, rather than randomly starting one-link monologues. As the unwary user clicks on the infected link, they will be redirected to a spoofed page impersonating Rapidshare. If the user continues the download process by clicking the alleged Rapidshare download link, they get a zipped archive called NewPhoto024.JPG.zip. Upon extraction, the archive reveals an executable file with a deceptive name: NewPhoto024.JPG_www.tinyfilehost.com. The file looks like a JPG, followed by an URL.

However, trailing .com is actually the file format revealing an MS-DOS executable application. Once executed, the infected binary queries the Windows Registry to see if either Skype or Yahoo Messenger is installed. If neither application is to be found on the computer , the worm will exit without infecting the system. If they are, the worm ensures that it is not being analyzed in a virtual machine by checking the Performance Counter.

Should the worm detect that it is running in a virtual machine or inside a debugger, it automatically terminates itself, else it creates create a suspended child process and subsequently inject the worm’s decrypted overlay in it. After the successful injection, the child process is resumed and the parent process kills itself.

In order to hide itself from the operating system, the worm deploys its last line of defense: a rootkit driver that conceals files, monitors the global Internet activity originating from the infected machine and prevents access to the URLs associated with antivirus vendors, online scanners, tech support forums and, of course, Windows Update. As a novelty, the worm also denies access to a certain number of high-profile download portals that might host removal tools or antivirus utilities.

After having successfully compromised the system, the worm adds itself to the Startup key in the Windows Registry; it also deactivates the Windows Firewall in order to breach the local security and to allow a remote attacker to connect to the worm’s backdoor component. To make things worse, the rootkit component also prevents the installation of any file known to be an antivirus product. Backdoor.Tofsee identifies these files by their filename, so renaming the blocked file should solve the issue.

The worm’s spreading mechanism isn’t reduced to spamming itself via Skype and YIM; it also copies itself on any attached USB storage devices it finds by replicating its binary in a newly-created folder called ~secure and creating an autorun.inf file to point to it. A secondary folder, called Temp002 is also generated and a binary file infected with Trojan.Vaklik.AY is planted inside it. All the created files have the archive, hidden and system attributes set to 1 in order to conceal them from the Windows Explorer shell.

Backdoor.Tofsee is a high-risk piece of malware that allows a remote attacker to take complete control over the infected machine and use it for various illegal purposes. In order to stay safe, you are advised to install and regularly update a complete antimalware solution with antispam, antiphishing, antivirus and firewall modules.

About BitDefender®
BitDefender is the creator of one of the industry’s fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention. Every day, BitDefender protects tens of millions of home and corporate users across the globe – giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company’s security solutions press room. Additionally, BitDefender’s www.malwarecity.com provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.