Downloader.Liftoh Cousin to W32.Phopifas?

Downloader.Liftoh is a Trojan horse detected by Symantec that downloads malware onto the compromised computer without the user noticing.

A new variant of this threat, discovered in early May, was identified in some Spanish-speaking countries in Latin America. This variant of Downloader.Liftoh sends messages in Spanish instead of English. The threat is similar to W32.Phopifas which we wrote about in our blog from October 2012.

The creators of Downloader.Liftoh use Skype, which is popular in Latin America, as well as other instant messaging applications to distribute the malware:

  1. The victim receives a message from someone who seems to be on their contact list. The message says, “esta es una foto muy amable de tu parte,” or “jaja, esta foto extraña de tu perfil,” or some similar message to entice the victim to click on a provided link. The link is from one of several URL shortener services, including,,,, and
    Figure 1.
    Malicious Skype message
  2. If the victim clicks on the shortened URL, they are redirected to a URL on the website.
  3. Once on the website, the victim is prompted to download a .zip file that contains Downloader.Liftoh disguised as a legitimate instant messaging file.
  4. If the victim unzips the file, they will find an .exe file inside.
  5. If the victim executes that .exe file, Downloader.Liftoh will have successfully compromised the computer.

Symantec has observed 171,553 clicks that this attack has received recently through Google’s URL shortener which the cybercriminals use in their campaign.


Figure 2. Downloader.Liftoh has 171,553 global clicks since May 20


Figure 3. Downloader.Liftoh Latin American click rate distribution

There are no geographic boundaries for malware distribution. Attackers only need to change malware code to a different language to find new computers to compromise. To protect yourself, Symantec recommends having up to date and comprehensive security solutions that include antispam and antivirus protections to prevent the compromise of personal computers and networks. It is also recommended that users not click on suspicious links or open any unusual files—even if they are sent from a known contact.