W32/Tufik is virus that infects .exe files.

Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.

It creates the process alg.exe.


It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"

The virus infects.exe files by prepending itself.

It can propagate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.

More information can be found at this McAfee page.