The Facebook Tofsee Trojan includes an anti-virus which deletes other hacker codes

Be aware of the Tofsee trojan, as this Trojan is packed with anti-virus features.

What?! Yes, the Tofsee trojan is capable of infecting and curing machines which have been infected with other types of malware.

The Tofsee trojan has been researched by the DrWeb security team, and they provided the following information about the Tofsee Trojan.

Sometimes users disregard the need to protect their computers with anti-virus software, and as a result their systems get infected. It can be said that, in this respect, users whose computers are infected with the multi-componentTrojan.Tofsee are a little luckier than other people— apart from the spamming it does, the Trojan can also cure a system of other threats, and, surprisingly, it is quite good at it.

How does it spread

Trojan.Tofsee is spread in a variety of ways: via Skype, social networking sites, and removable drives. In the first case, criminals use the most common social engineering techniques and try to convince users that shocking videos and photos of them are available on the Internet. Although this approach has been used by virus distributors for many years, people still fall into this simple trap.

A special module, which is downloaded by the malware from a criminal-owned server, is responsible for distributingTrojan.Tofsee via Twitter, Facebook and VKontakte, as well as through Skype. Messages sent by the module are generated using the template found in the configuration file. Messages sent to users of social networking sites are created in the users’ expected language.

DivX plug-in required! You don't have the plugin required to view the video, save the video and run it locally, if your download does not start, click here please. 
DivX plug-in required! You don’t have the plugin required to view the video, save the video and run it locally, if your download does not start, click here please. – Picture via Dr. Web

The message text contains a link to the page where the user can supposedly access the reputation-damaging videos and photos. However, to view this content, the user is prompted to download the browser plugin which in fact is Trojan.Tofsee.

Currently, Tofsee.Trojan can download from remote servers 17 plugins implemented as dynamic-link libraries. In addition to the modules described above, Trojan.Tofsee also uses the following plugins:

  • A plugin for verifying remote host addresses transmitted to the plugin as a configuration data block.
  • A plugin for executing DDoS-attacks. It can mount two types of attacks: http flood and syn flood;
  • An encrypted Trojan.PWS.Pony.5 plugin;
  • A plugin that logs data used by Internet Explorer. This plugin which has its own configuration file extracts from its body the library IEStub.dll and injects it into the browser process. It has a configuration file of its own;
  • A plugin that processes graphics files that are subsequently used by other plugins;
  • A module that retrieves email addresses from the Internet Account Manager and PStoreCreateInstance, generates sender addresses according to the template % NAMEPC%, and tries to send messages to the addresses on the generated list;
  • A plugin that downloads Trojan.BtcMine.148 which is designed to mine bitcoins. It installs Trojan.BtcMine.148 in a system and provides it with all the necessary operational parameters;
  • A plugin that installs Trojan.Siggen.18257 in the system32drivers folder as a file with a random name and the extension .sys, and then runs it;
  • An HTTP and socks5 proxy module;
  • A plugin that generates and sends emails; It uses its own script language to generate messages and sends them over HTTPS; SSL encryption is implemented through Microsoft Unified Security Protocol Provider;
  • The low-level traffic interception and analysis library uses a special driver to perform its tasks. It searches the data stream for information transmitted via FTP and SMTP and can modify the address and body of a message;
  • The plugin that generates and processes configuration templates;
  • The script language plugin involved in creating spam messages.

Facebook and other social media networks

It is not only the Facebook environment which is being targeted by the cybercriminals to spread their malicious application. The hackers are using various resources (Twitter, Skype, Chats) to infect unaware people with the Tofsee Trojan. As you can see in the first picture, the hackers behind the trojan have crafted a fake website which looks like the Facebook environment. This scheme is being used by scammers and hackers to infect people with malicious codes and money generating surveys.


The Tofsee Trojan uses a bitcoin grabber to create a revenue for the administrators behind the Tofsee Trojan.  Take a look at the security tips which will help you to stay safe. The following collection of security questions can be used to discuss the security status of your company.

Be aware of the various schemes which are luring unaware social media users. Use this checklist to control the security status of your social media account.

A lot of the information has been copied and pasted from the Dr. Web article on the Tofsee Trojan.

Share this info: