Trojan:Win32/Tofumanics.C is a trojan that may download, upload, or execute arbitrary files. It may also close windows and modify computer settings.
Installation
Trojan:Win32/Tofumanics.C copies itself as the following hidden file:
- %ProgramFiles%\Common Files\Service Share\lsass.exe
It also hides the "%ProgramFiles%\Common Files\Service Share" folder.
Note that a legitimate Windows file also named "lsass.exe" exists by default in the Windows system folder.
Trojan:Win32/Tofumanics.C modifies the following registry entry to ensure that it runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "userinit"
With Data: "<system folder>\userinit.exe,%ProgramFiles%\Common Files\Service Share\lsass.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It then launches its new copy. This copy monitors the above registry entry and replaces it if it is modified.
Some samples of Trojan:Win32/Tofumanics.C do not run if any of the following folders are present, deleting themselves instead:
- %ProgramFiles%\lotus
- %ProgramFiles%\notes
- %ProgramFiles%\ibm
Payload
Downloads and executes arbitrary files
Trojan:Win32/Tofumanics.C may retrieve data, including updates for itself, from locations such as the following:
- search-win6.info
- smss-prosses.info
- win-nt-klc.info
- samtkl.net
It may also send files to, and retrieve files from, the file hosting site "depositfiles.com".
Modifies system security settings
Trojan:Win32/Tofumanics.C attempts to prevent certain programs from running on system startup by removing the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Deletes value: "AVP"
Note: This entry is commonly associated with the Kaspersky Antivirus.
It attempts to disable the Windows Firewall by running the following command:
Netsh firewall set opmode disable
It also disables the LUA (Least Privileged User Account), also known as the "Administrator in Admin Approval Mode" user type, by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without the user being prompted for explicit consent.
Closes or hides windows
The malware monitors Windows Explorer windows, and hides it if the "%ProgramFiles%\Common Files\Service Share" folder is open.
Some samples of Trojan:Win32/Tofumanics.C look for windows with the title "Useful tip" or "Полезный совет" (Russian for "Helpful hint"), and, if found, send keyboard events to the window in order to close it.
Some samples also attempt to hide windows that contain the text "Skype" as well as one of "Sending file" or "Посылаем файл" (Russian for "Sending file") in their title.
Additional information
Some variants drop a text file containing the MD5 hash of themselves to "%ProgramFiles%\Common Files\Service Share\readme.txt" or "%ProgramFiles%\Common Files\temp.txt".
Analysis by David Wood
