Neutralizing Tofsee Spambot - Part 2 | InMemoryConfig store vaccine

This excerpt describes Tofsee botnet configuration storage and retrieval: it enumerates multiple filesystem (including ADS and user-profile paths) and registry locations used to persist XOR-encoded chained configuration buffers, and identifies the 'work_srv' and 'start_srv' structures retrieved during the initial command-and-control connection.