Win32/Spy.Tuscas [Threat Name] go to Threat
Win32/Spy.Tuscas.A [Threat Variant Name]
Category | trojan |
Size | 342528 B |
Aliases | Trojan-Dropper.Win32.Injector.jztn (Kaspersky) |
Win32:Zbot-TCT (Avast) | |
TR/Drop.Injector.jztn (Avira) |
Short description
Win32/Spy.Tuscas.A is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
When executed, the trojan creates the following files:
- %folder%\client.dll (228864 B, Win32/Spy.Tuscas.A)
- %folder%\aplib.dll (11264 B)
- %folder%\aplib64.dll (12800 B)
- %folder%\zlib1.dll (59904 B)
The %folder% is one of the following strings:
- %windir%
- %appdata%
- %temp%
- %currentfolder%
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "rundll32 "%folder%\client.dll",CreateProcessNotify"
A string with variable content is used instead of %variable% .
The trojan creates and runs a new thread with its own program code within the following processes:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe
The trojan loads and injects the client.dll library into the following processes:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Spy.Tuscas.A is a trojan that steals sensitive information.
The trojan collects the following information:
- installed program components under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] Registry subkeys
- information about the operating system and system settings
- list of running services
- list of running processes
- login user names for certain applications/services
- login passwords for certain applications/services
The trojan collects sensitive information when the user browses certain web sites.
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- capture screenshots
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\AppDataLow\%variable%]
A string with variable content is used instead of %variable% .
The trojan hooks the following Windows APIs:
- closesocket (ws2_32.dll)
- CreateProcessA (kernel32.dll)
- CreateProcessAsUserA (advapi32.dll)
- CreateProcessAsUserW (advapi32.dll)
- CreateProcessW (kernel32.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetConnectA (wininet.dll)
- InternetConnectW (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)
- LoadLibraryA (kernel32.dll)
- LoadLibraryExA (kernel32.dll)
- LoadLibraryExW (kernel32.dll)
- LoadLibraryW (kernel32.dll)
- PR_Close (nspr4.dll)
- PR_Connect (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- recv (ws2_32.dll)
- WSASend (ws2_32.dll)