Trojan:Win32/Tapaoux.A is a trojan that attempts to terminate security-related services and allows remote access and control of an affected computer.
Installation
This trojan may be downloaded and installed by other malware such as
TrojanDownloader:Win32/Doutrad.A. Trojan:Win32/Tapaoux.A installs the following components into the Windows system folder:
<file name>.dll - Trojan:Win32/Tapaoux.A
<file name>.exe - Trojan:Win32/Tapaoux.A
<file name>.sys - VirTool:WinNT/Tapaoux.A
Examples of the file names created are "actmove", "appned" and "qernet". Trojan:Win32/Tapaoux.A drops and launches a batch script file in the current folder named "delus.bat" which deletes the dropper itself and launches the dropped EXE file. The registry is modified to run the dropped EXE file component at each Windows start.
Adds value: "<name>"
With data: "<file name.exe>"
To subkey: HKCU\Software\Microsoft\CurrentVersion\Run
Trojan:Win32/Tapaoux.A creates and loads a system device driver service for the dropped .SYS file component. The service name could be "KeyDrvClass". The trojan injects code into "svchost.exe" and "explorer.exe" to load the dropped .DLL component.
Trojan:Win32/Tapaoux.A attempts to determine if the system is running within a virtual environment, such as Virtual PC, VMware and others, and if so, terminates. Additionally the trojan terminates if the following security-related processes are found running on the system:
ollydbg.exe
filemon.exe
regmon.exe
icesword.exe
idag.exe
ethereal.exe
pslist.exe
Payload
Suspends threads
Trojan:Win32/Tapaoux.A attempts to suspend the following security-related threads:
AVGIDSAgent.exe
AVGIDSMonitor.exe
Allows remote access and control
Trojan:Win32/Tapaoux.A connects to remote servers to report its infection and retrieve commands from a remote attacker. Observed examples of server connection domains include "dailysummary.net" and "somus.net". At the time of this writing, specific subdirectories of the sites were unavailable. Commands supported by the trojan include the following:
- List any specific directory and upload the result to the remote server
- Upload any file to the remote server.
- Execute a specified command on infected machine
- Download and execute any file(s) from the remote server
Additional Information
Analysis by Shawn Wang
