Hello everybody

From time to time, when I start the Tor Browser (either in its latest version or many many versions before), Tor Browser tries to establish a connnection to the following web site: https://www .vzvyv. com (for reasons of security with spaces).

My antivirus program recognizes the web site as a phishing site and blocks the connection.

Several scan engines on VirusTotal also recognize the site as malicious: VirusTotal

Could anyone explain me why the Tor Browser tries to establish the above-mentioned connection every now and then while starting up? And the web site looks for me far from certain.

I’m using Windows 11 25H2 Build 26200.8116 and Tor Browser for Windows x86_64 portable v15.0.8. But as mentioned before, this phenomenen started a really long time ago.

Regards Uwe

That’s rather concerning. Where did you download this copy of Tor browser? There has been reports on how Internet users are targetted with Tor browser packages maliciously modified. Like the one Kaspersky reported:

Can you share a compressed copy of your Tor browser folder (with bookmarks removed)? I wonder if it’s a sort of malware infecting your Tor browser, or you’re using a copy laced with malicious modification.

You can upload the archive file here and share the link in the forum:

Hi!

I always download the Tor Browser only (without exception) from the common site: Index of /torbrowser

Okey-dokey… I uploaded the compressed Zip-file from the Tor Browser folder. The link is: Send

And as mentioned, I recognized this phenomenen for the first time a long time ago… years, since I switched my antivirus program from Kaspersky to Bitdefender.

Addendum:

For information only. I switched from Kaspersky to Bitdefender in the middle of 2022.

Regards, Uwe

Now, 8 scan engines on VirusTotal are notifying the link as phising/malicious. 2 scan engines more than yesterday.

From what I can figure out that vzvyv [dot] com does not even have an IP address associated with it. Even ping says not found so I wonder how Virustotal could add 2 more.

ping -n 1 vzvyv.com
Ping request could not find host vzvyv.com. Please check the name and try again.
ping -n 1 www.vzvyv.com
Ping request could not find host www.vzvyv.com. Please check the name and try again.

Bitdefender added 2 files into the Tor folder which are not there in a vanilla install of that EXE you used to download Tor.

Why not do a fresh install. Delete the Tor folder from the desktop (or rename it) and reinstall your EXE.

Edited later:
Forgot to mention which files Bitdefender added.

Tor Browser\Browser\bd_config.cfg
Tor Browser\Browser\defaults\pref\bd_js_config.js

If that’s not malicious, then could it be similar to this topic? I left a reply there about it.

Yes, I’ve also noticed that the page can be accessed using certain browsers, but doesn’t appear at all with others.

To me, the whole situation seems very strange and somehow fishy, as far as I can tell. And as you said, it’s surprising that VirusTotal even found the site.

I will now perform a reinstalling of the Tor Browser and keep an eye on how it behaves.

Which browser?

Just to be clear vzvyv . com is a registered domain and not a randomly generated name like tfxkk3 . com in that topic mentioned above by unic3rn.

Domain Name: vzvyv . com
Updated Date: 2025-07-31T02:45:19Z
Creation Date: 2025-06-20T13:06:15Z
Registrar Registration Expiration Date: 2026-06-20T13:06:15Z
Registrar: Alibaba Cloud Computing Ltd. d/b/a HiChina

I’m following this topic and the one cross-linked by @unic3rn with interest. This issue would appear to be qualitatively different from the other one, as here the user’s AV software has explicitly flagged the domain in question as malicious. A couple of questions arise:

• Could the documentation be improved to explain that it is normal to see Tor Browser connecting to randomly generated domains on certain ports? This point is more relevant to the cross-linked issue.

• Is there a safe and easy way for a user to check if any given domain flagged by AV software is a legitimately created obfuscated relay address, as helpfully explained in this comment? Do such domains belong to a deterministic pool, which could be checked against - e.g. at torproject.org, for example?

The fact that Tor Browser does connect to randomly generated domains seems to be an ideal cover for an attacker who wants to craft a maliciously modified Tor Browser package of the kind @Lind has referred to above. In this case it would seem very important to determine if the domain in question is legitimate or not. If it is malicious and the user did download Tor Browser properly it could point to a wider infection on the user’s machine. In this case simply reinstalling TB may not be sufficient to fix the problem. Anyway, it will be interested to find out if a reinstall does fix the issue.

I let that copy of Tor Browser ran for an hour, and the machine it ran on didn’t generate any DNS queries to www[dot]vzvyv[dot]com , also antivirus scan didn’t found anything suspicious (though undetected viruses might stay under the radar due to how antivirus programs generally work).

I did noticed that Tor browser seems to generate TLS traffic with random domain name SNI, and the targets are mostly Tor relay nodes. As others suggested this maybe due to how tor worked. These domains didn’t appear in DNS query record at the same time.

May I ask how did you notice that Tor browser is contacting www[dot]vzvyv[dot]com ?

Thank you @BobbyB

I will take a look at the two Bitdefender files. They appear in a fresh install of Tor Browser or Firefox etcetera as well. I will try to figure out what kind of purpose they have.

@unic3rn I read it yesterday as well and also thought that there might be a correlation between the two cases.

Question for everyone:

Can I do anything that my posts don’t need myriads of hours till they get approved? Is there a way to publish them faster? Unfortunately, it’s not possible to me to follow and answer this discussion in an adequate way or time.

Regards, Uwe

I’d even re-install my system…

For instance, it can be reached with Firefox for desktops, but it doesn’t work with Firefox Nightly for Android saying “Address Not Found”.

I get an alert message (phising alert) from Bitdefender saying Tor Browser tries to connect the website www[dot]vzvyv[dot]com which is just flagged as a phishing one and I had to confirm that I want to establish the suspicious connection. As far as I can see, this only happens when Tor Browser connects to the internet for the first time. Which means, after having pressed the button “Connect” which I always disallow to execute.

@Noino My system is quite safe clean as far as I can rate it ‘cause I regularly scan it. It is therefore highly unlikely that I have been infected with malware.

They just set firefox preference. Can’t see that it would be part of the problem.

I’ve scanned my system with three different antivirus programs without finding any malware at all. I’m highly sure that there is no malware hiding on my system. I’m maintaining my system with the highest attention.

This phenomenen must have a definitely another origin… or in other words, it’s an issue of the Tor Browser. After deleting the folder of the Tor Browser and having done a fresh install, I will see if the issue occurs again.

So far, everything looks good. I haven’t detected any more connection attempts to www. vzvyv .com. Let’s wait and see how things develop.

Regards Uwe