W32/Tufik virus which infects .exe files
Tuesday, February 5, 2008
Overview -
W32/Tufik is virus which infects .exe files. It downloads files from a malicious url.
Characteristics
Characteristics -
W32/Tufik is virus which infects .exe files.
Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.
It creates the process alg.exe.
It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
It creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"
The virus infects.exe files by prepending itself.
It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.
Symptoms
Symptoms -
-registry keys added by the virus as described above
-processes created by the virus as described above
Method of Infection
Method of Infection -
W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.
W32/Tufik is virus which infects .exe files. It downloads files from a malicious url.
Characteristics
Characteristics -
W32/Tufik is virus which infects .exe files.
Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.
It creates the process alg.exe.
It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
It creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"
The virus infects.exe files by prepending itself.
It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.
Symptoms
Symptoms -
-registry keys added by the virus as described above
-processes created by the virus as described above
Method of Infection
Method of Infection -
W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.
1 Comments:
commented by 
Cathlin, April 27, 2009 8:34 AM
Cathlin, April 27, 2009 8:34 AM
I have tried so many different types of scans to help keep my PC running at its best and one thing that I discovered is that they all tend to find the same types of bugs. The main difference between them all is the price that you pay. Recently I discovered Search-and-destroy Antispyware at http://www.Search-and-destroy.com and I really like it a lot. Antispyware solution from Search-and-destroy is one of the best scans I have ever used and I’m sure that you will be very happy with it as well. Go ahead and give it a try, you will be glad you did!