W32/Tufik

This page shows details and results of our analysis on the malware W32/Tufik

Download Current DAT: 6616

Threat Detail

Malware Type: Virus

Malware Sub-type: Win32

Discovery Date: 2007-12-06

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection

Overview

W32/Tufik is virus which infects .exe files. It downloads files from a malicious url.

Minimum DAT

5179 (2007-12-06)

Updated DAT

5957 (2010-04-20)

Minimum Engine

5.1.00

File Length

various

Description Added

2007-12-06

Description Modified

2008-02-05

Malware Proliferation

Characteristics

W32/Tufik is virus which infects .exe files.

Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.

It creates the process alg.exe.

It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"

The virus infects.exe files by prepending itself.

It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.

Symptoms

-registry keys added by the virus as described above

-processes created by the virus as described above

Method of Infection

W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.