Win32/Spy.Tuscas [Threat Name] go to Threat

Win32/Spy.Tuscas.K [Threat Variant Name]

Category trojan
Size 299520 B
Aliases Virus.Win32.PolyRansom.e (Kaspersky)
  Trojan.Inject2.412 (Dr.Web)
  Virus:Win32/Ursnif.D (Microsoft)
Short description

Win32/Spy.Tuscas.K is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.


When executed, the trojan creates the following files:

  • %appdata%\­%variable%.exe
  • %system%\­%variable%.exe

A string with variable content is used instead of %variable% .

The trojan registers itself as a system service.

This causes the trojan to be executed on every system start.

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • chrome.exe

The trojan searches removable and network drives for files with the following file extensions:

  • *.pdf
  • *setup*.exe
  • *install*.exe
  • *update*.exe
  • *.msi

The trojan may replace these files with a copy of itself.

The trojan may write the program code of the malware into the following files:

  • *.msi
Information stealing

The trojan collects the following information:

  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • information about the operating system and system settings
  • list of running processes
  • the list of installed software
  • list of installed device drivers

The trojan can modify network traffic.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan generates various URL addresses. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • collect information about the operating system used
  • send gathered information

The trojan hooks the following Windows APIs:

  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • PR_Poll (nspr4.dll)
  • PR_Available (nspr4.dll)
  • PR_Close (nspr4.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpQueryIntoA (wininet.dll)
  • HttpQueryInfoW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.