Win32/Spy.Tuscas [Threat Name] go to Threat

Win32/Spy.Tuscas.A [Threat Variant Name]

Category trojan
Size 342528 B
Aliases Trojan-Dropper.Win32.Injector.jztn (Kaspersky)
  Win32:Zbot-TCT (Avast)
  TR/Drop.Injector.jztn (Avira)
Short description

Win32/Spy.Tuscas.A is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %folder%\­client.dll (228864 B, Win32/Spy.Tuscas.A)
  • %folder%\­aplib.dll (11264 B)
  • %folder%\­aplib64.dll (12800 B)
  • %folder%\­zlib1.dll (59904 B)

The %folder% is one of the following strings:

  • %windir%
  • %appdata%
  • %temp%
  • %currentfolder%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "rundll32 "%folder%\­client.dll",CreateProcessNotify"

A string with variable content is used instead of %variable% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe

The trojan loads and injects the client.dll library into the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe

After the installation is complete, the trojan deletes the original executable file.


Information stealing

Win32/Spy.Tuscas.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • information about the operating system and system settings
  • list of running services
  • list of running processes
  • login user names for certain applications/services
  • login passwords for certain applications/services

The trojan collects sensitive information when the user browses certain web sites.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%variable%]

A string with variable content is used instead of %variable% .


The trojan hooks the following Windows APIs:

  • closesocket (ws2_32.dll)
  • CreateProcessA (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • CreateProcessW (kernel32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • LoadLibraryA (kernel32.dll)
  • LoadLibraryExA (kernel32.dll)
  • LoadLibraryExW (kernel32.dll)
  • LoadLibraryW (kernel32.dll)
  • PR_Close (nspr4.dll)
  • PR_Connect (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.