Categories: Backdoor

Backdoor.Win32.Tofsee.dowr removal guide

The Backdoor.Win32.Tofsee.dowr is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Backdoor.Win32.Tofsee.dowr virus can do?

Executable code extraction
Injection (inter-process)
Injection (Process Hollowing)
Creates RWX memory
A process attempted to delay the analysis task.
Attempts to connect to a dead IP:Port (19 unique times)
Starts servers listening on 0.0.0.0:7629
Reads data out of its own binary image
A process created a hidden window
Drops a binary and executes it
Performs some HTTP requests
Unconventionial language used in binary resources: Ukrainian
The binary likely contains encrypted or compressed data.
The executable is compressed using UPX
Uses Windows utilities for basic functionality
Enumerates services, possibly for anti-virtualization
Executed a process and injected code into it, probably while unpacking
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
Installs itself for autorun at Windows startup
A possible cryptomining command was executed
Attempts to interact with an Alternate Data Stream (ADS)
Anomalous binary characteristics

Related domains:

z.whorecord.xyz

a.tomx.xyz

microsoft-com.mail.protection.outlook.com

0.0.0.0.dnsbl.sorbs.net

0.0.0.0.bl.spamcop.net

0.0.0.0.zen.spamhaus.org

0.0.0.0.sbl-xbl.spamhaus.org

0.0.0.0.cbl.abuseat.org

www.instagram.com

msr.pool-pay.com

ip.pr-cy.hacklix.com

i.instagram.com

instagram.com

How to determine Backdoor.Win32.Tofsee.dowr?


File Info:
crc32: 5545D285md5: d42469f27655d920e07a477d66cd8075name: D42469F27655D920E07A477D66CD8075.mlwsha1: 36ca1ae933220ef6b275786742571229707f0441sha256: de72929ec2b53972fbb661bc77fb97bb14a49a2c2bf408e08c2e061accd01f5bsha512: 804da9e846c894b2eb67d5c8fd5744f4833a1b7b26d80535664e5cdd87690e8a69bb0a124f51fbdb25e5ed7aef6893c00cebcd95a2bdd6d01ccc23a7f06b8fe1ssdeep: 3072:vwiJSskZO1mtcy/2yac9Ai4ODvy2WW8sJyLH60S4VbmsyCa:YKSstmtcy31y2WW8szLcGtype: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Version Info:
InternalSurname: debaukd.ekzeProd: 1.2.7FileVersions: 1.0.5.6LegalCo: Copyri (C) 2019, permudationz

Backdoor.Win32.Tofsee.dowr also known as:

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.45225970
FireEye	Generic.mg.d42469f27655d920
McAfee	RDN/Generic.grp
Cylance	Unsafe
Sangfor	Malware
BitDefender	Trojan.GenericKD.45225970
K7GW	Trojan ( 005756061 )
CrowdStrike	win/malicious_confidence_100% (D)
BitDefenderTheta	Gen:NN.ZexaF.34700.kmGfauh3mscc
Cyren	W32/Kryptik.CVF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.EZFG
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
Kaspersky	Backdoor.Win32.Tofsee.dowr
Ad-Aware	Trojan.GenericKD.45225970
F-Secure	Trojan.TR/AD.Tofsee.ocnel
DrWeb	Trojan.Siggen11.56832
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Emsisoft	Trojan.GenericKD.45225970 (B)
Avira	TR/AD.Tofsee.ocnel
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/Glupteba!ml
Arcabit	Trojan.Generic.D2B217F2
AhnLab-V3	Trojan/Win32.Glupteba.R361154
ZoneAlarm	Backdoor.Win32.Tofsee.dowr
GData	Win32.Backdoor.Tofsee.4DINW3
Cynet	Malicious (score: 100)
Acronis	suspicious
Malwarebytes	Trojan.MalPack.GS
Panda	Trj/Genetic.gen
Rising	Backdoor.Agent!8.C5D (TFE:5:IhzqwXEXQUL)
SentinelOne	Static AI – Malicious PE
eGambit	Unsafe.AI_Score_88%
Fortinet	W32/Kryptik.HGHW!tr
AVG	Win32:DropperX-gen [Drp]
Qihoo-360	HEUR/QVM11.1.4022.Malware.Gen