Categories: Backdoor

BScope.Backdoor.Tofsee removal tips

The BScope.Backdoor.Tofsee is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What BScope.Backdoor.Tofsee virus can do?

Executable code extraction
Injection (inter-process)
Injection (Process Hollowing)
At least one process apparently crashed during execution
Creates RWX memory
A process attempted to delay the analysis task.
Attempts to connect to a dead IP:Port (5 unique times)
Starts servers listening on 0.0.0.0:6087
Reads data out of its own binary image
A process created a hidden window
Drops a binary and executes it
Unconventionial language used in binary resources: Georgian
Uses Windows utilities for basic functionality
Enumerates services, possibly for anti-virtualization
Executed a process and injected code into it, probably while unpacking
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
Installs itself for autorun at Windows startup
A possible cryptomining command was executed
Attempts to interact with an Alternate Data Stream (ADS)
Anomalous binary characteristics

Related domains:

microsoft-com.mail.protection.outlook.com

181.86.68.138.dnsbl.sorbs.net

181.86.68.138.bl.spamcop.net

181.86.68.138.zen.spamhaus.org

181.86.68.138.sbl-xbl.spamhaus.org

181.86.68.138.cbl.abuseat.org

msr.pool.gntl.co.uk

How to determine BScope.Backdoor.Tofsee?


File Info:
crc32: 31131BAEmd5: b0615d7980550b0d271e1abbfceca9dfname: B0615D7980550B0D271E1ABBFCECA9DF.mlwsha1: f7dbe5d1dd6069adea0105b3c2a0204086892718sha256: 1036e55bae6a12d05677589f661b60d4c46fa92b814b4610ccc4a85eb30bb0e4sha512: 71cb6b233d32f5b98d5d9ff85fa2a52dfff63f86f22a173611a343d10fa09b4b412ead67dbc0922015e694063d96ec083c748090e0a4ca4077f476a144bd649bssdeep: 24576:D/OhO6zfZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ:zOhtype: PE32 executable (GUI) Intel 80386, for MS Windows
Version Info:
InternalName: startrek.udaFileV: 1.2.9

BScope.Backdoor.Tofsee also known as:

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69387
FireEye	Generic.mg.b0615d7980550b0d
Qihoo-360	HEUR/QVM20.1.3967.Malware.Gen
ALYac	Trojan.GenericKDZ.69387
Cylance	Unsafe
Sangfor	Malware
BitDefender	Trojan.GenericKDZ.69387
TrendMicro	Mal_Tofsee
Cyren	W32/Kryptik.BZD.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Tofsee-9269577-0
Kaspersky	HEUR:Trojan.Win32.AntiAV.pef
Ad-Aware	Trojan.GenericKDZ.69387
Sophos	Mal/Kryptik-EA
F-Secure	Heuristic.HEUR/AGEN.1138815
DrWeb	Trojan.Siggen10.60362
Invincea	Mal/Kryptik-EA
McAfee-GW-Edition	BehavesLike.Win32.Trojan.vh
Emsisoft	Trojan.GenericKDZ.69387 (B)
Avira	HEUR/AGEN.1138815
Antiy-AVL	Trojan[Backdoor]/Win32.Tofsee
Microsoft	Trojan:Win32/Glupteba.DSI!MTB
Gridinsoft	Trojan.Heur!.02812021
Arcabit	Trojan.Generic.D10F0B
ZoneAlarm	HEUR:Trojan.Win32.AntiAV.pef
GData	Trojan.GenericKDZ.69387
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.MalPe.R347364
Acronis	suspicious
McAfee	Packed-GCZ!B0615D798055
MAX	malware (ai score=80)
VBA32	BScope.Backdoor.Tofsee
Malwarebytes	Trojan.MalPack.GS
ESET-NOD32	a variant of Win32/Kryptik.HFLV
TrendMicro-HouseCall	Mal_Tofsee
Rising	Trojan.Kryptik!1.CA64 (CLASSIC)
SentinelOne	Static AI – Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Kryptik.HFTR!tr
AVG	Win32:DropperX-gen [Drp]
CrowdStrike	win/malicious_confidence_100% (D)
MaxSecure	Trojan.Malware.300983.susgen