Win32/Spy.Tuscas [Threat Name] go to Threat
Win32/Spy.Tuscas.K [Threat Variant Name]
|Detection created||Jun 05, 2015|
|Signature database version||11740|
Win32/Spy.Tuscas.K is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.
When executed, the trojan creates the following files:
A string with variable content is used instead of %variable% .
The trojan registers itself as a system service.
This causes the trojan to be executed on every system start.
The trojan creates and runs a new thread with its own program code within the following processes:
The trojan searches removable and network drives for files with the following file extensions:
The trojan may replace these files with a copy of itself.
The trojan may write the program code of the malware into the following files:
The trojan collects the following information:
- installed program components under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] Registry subkeys
- information about the operating system and system settings
- list of running processes
- the list of installed software
- list of installed device drivers
The trojan can modify network traffic.
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan generates various URL addresses. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- capture screenshots
- collect information about the operating system used
- send gathered information
The trojan hooks the following Windows APIs:
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- PR_Poll (nspr4.dll)
- PR_Available (nspr4.dll)
- PR_Close (nspr4.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- HttpQueryIntoA (wininet.dll)
- HttpQueryInfoW (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)