Home / malware Worm:Win32/Tophos.A
First posted on 09 November 2012.
Source: MicrosoftAliases :
Worm:Win32/Tophos.A is also known as TR/Tophos.A.2 (Avira), Win32/Tophos.A worm (ESET), Trojan.Win32.Cossta (Ikarus), Trojan.Win32.Cossta.uqt (Kaspersky), W32/Tophos-B (Sophos).
Explanation :
Worm:Win32/Tophos.A is a worm that copies itself to network shares and removable drives, displays an adult-oriented image, and may download additional malware into your computer.
Installation
Worm:Win32/Tophos.A checks if the current process running it is "search.cmd". If not, then Worm:Win32/Tophos.A copies itself as "<startup folder>\search.cmd".
Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 2000, XP, and 2003 is "%USERPROFILE%\Start Menu\Programs\Startup". For Windows Vista, 7, and W8, the default location is "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup".
Worm:Win32/Tophos.A drops a picture file named "Photo.jpg" in the current folder. It opens this picture, which has adult content.
Spreads via...
Network shares
Worm:Win32/Tophos.A tries to copy itself to all writeable network shares as "Photo.scr". It may do this even through a wireless connection.
Removable drives
Worm:Win32/Tophos.A tries to copy itself to all removable drives as "Photo.scr".
Payload
Downloads and runs arbitrary files
Worm:Win32/Tophos.A connects to the server "cadretest.ru" to download and run arbitrary files, which may be malicious.
Analysis by Patrik Vicol
Last update 09 November 2012
