Win32/Spy.Tuscas [Threat Name] go to Threat
Win32/Spy.Tuscas.K [Threat Variant Name]
Category | trojan |
Size | 299520 B |
Aliases | Virus.Win32.PolyRansom.e (Kaspersky) |
Trojan.Inject2.412 (Dr.Web) | |
Virus:Win32/Ursnif.D (Microsoft) |
Short description
Win32/Spy.Tuscas.K is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
When executed, the trojan creates the following files:
- %appdata%\%variable%.exe
- %system%\%variable%.exe
A string with variable content is used instead of %variable% .
The trojan registers itself as a system service.
This causes the trojan to be executed on every system start.
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
- firefox.exe
- iexplore.exe
- chrome.exe
Spreading
The trojan searches removable and network drives for files with the following file extensions:
- *setup*.exe
- *install*.exe
- *update*.exe
- *.msi
The trojan may replace these files with a copy of itself.
The trojan may write the program code of the malware into the following files:
- *.msi
Information stealing
The trojan collects the following information:
- installed program components under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] Registry subkeys
- information about the operating system and system settings
- list of running processes
- the list of installed software
- list of installed device drivers
The trojan can modify network traffic.
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan generates various URL addresses. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- capture screenshots
- collect information about the operating system used
- send gathered information
The trojan hooks the following Windows APIs:
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- PR_Poll (nspr4.dll)
- PR_Available (nspr4.dll)
- PR_Close (nspr4.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- HttpQueryIntoA (wininet.dll)
- HttpQueryInfoW (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)