Home / malwarePDF  

TrojanDownloader:Win32/Tugspay.A


First posted on 24 July 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Tugspay.A.

Explanation :

Threat behavior

Installation

TrojanDownloader:Win32/Tugspay.A uses social engineering to get consent to install onto your PC. For example, we have seen it imitate a Java update. It persuades or tricks you to agree to download its file by posing as a legitimate request.

We have seen this threat installed by:

  • Malicious or compromised websites - when a message appears asking you to download a file, for example, a fake Java update or download as shown below:


  • Abused content delivery networks, for example, when you are searching for a legitimate application or installer.
  • Other malware, for example HackTool:Win32/Keygen and Exploit:Java/Anogre.E.


We have seen this threat downloaded with the following file names:

  • avast_antivirus.exe
  • avg antivirus.exe
  • flashplayer.exe
  • flvplayer.exe
  • Google_chrome.exe
  • iTunes.exe
  • java.exe
  • mcafee_antivirus_plus.exe
  • microsoft-office-2010.exe
  • microsoft-powerpoint-2010.exe
  • microsoft-security-essentials.exe
  • microsoft-Silverlight.exe
  • microsoft-word.exe
  • norton-antivirus.exe
  • panda antivirus.exe
  • player_setup.exe
  • setup.exe
  • skype.exe
  • vlc-media-player.exe


Payload

Collects information about your PC

This threat performs machine and web browser fingerprinting. It checks and collects information about your PC including:

  • Operating system and version
  • Service pack installed
  • Whether administrator privileges are enabled
  • Machine architecture
  • Antivirus and firewall settings
  • Web browsers installed
  • Default browser
  • User data such as bookmarks, downloads, browsing history, passwords, sessions and cookies.


It also checks the environment to prevent it from running when it is being analyzed, debugged or executed in controlled environment such as virtual machines.

Downloads and installs potentially unwanted software

This threat has a predefined list of applications that it can download and install. This includes:

  • Amonetize
  • AndroidAPK
  • CouponServer
  • Monetizer (refers to InstallMonetizer)
  • ShoppingChip
  • StrongVault


It might also install browser add-ons related to these applications.

We have also seen TrojanDownloader:Win32/Tugspay.A download the following malware and potentially unwanted software:

  • Adware:Win32/EoRezo
  • Adware:Win32/Adpeak
  • Misleading:Win32/OptimizerElite
  • SoftwareBundler:Win32/CostMin
  • TrojanClicker:Win32/Clikug.C


Traces of related downloads can be found in %TEMP% and %APPDATA%.

It also includes a feature that allows it to download and perform dynamic installs from a remote host configuration. This configuration contains sources of affiliate distributions and download URLs.

Connects to remote servers

The malware connects to a remote server. This could be part of its social engineering screen, to post collected data, read configurations, or download files. We have seen it connect to the following servers:

  • 54.213.138.138
  • 69.16.175.10
  • 54.201.5.113
  • 85.12.8.28
  • 82.12.5.27
  • 173.193.180.130
  • 208.87.233.180
  • 207.171.187.117


Additional information

TrojanDownloader:Win32/Tugspay.A might use multiple techniques to hide its malicious intent including:

  • Using a digital certificate to gain your trust.
  • Using a website or download domain that appears legitimate. It usually uses the term "cloud" as part of its domain name, for example: mycloud101, srcloudfile, procloudbox, cloudbox, cloudsvr or cloudserver.




Analysis by Methusela Cebrian Ferrer

Symptoms

The following could indicate that you have this threat on your PC:

  • You have unexpected programs or browser add-on installed on your PC
  • You have these files:

    ast_antivirus.exe
    avg antivirus.exe
    flashplayer.exe
    flvplayer.exe
    Google_chrome.exe
    iTunes.exe
    java.exe
    mcafee_antivirus_plus.exe
    microsoft-office-2010.exe
    microsoft-powerpoint-2010.exe
    microsoft-security-essentials.exe
    microsoft-Silverlight.exe
    microsoft-word.exe
    norton-antivirus.exe
    panda antivirus.exe
    player_setup.exe
    setup.exe
    skype.exe
    vlc-media-player.exe




Last update 24 July 2014

 

TOP

Malware :

Family: