Trojan:Win32/Tapaoux.A is a trojan that attempts to terminate security-related services and allows remote access and control of an affected computer.
This trojan may be downloaded and installed by other malware such as TrojanDownloader:Win32/Doutrad.A
installs the following components into the Windows system folder:
<file name>.dll - Trojan:Win32/Tapaoux.A
<file name>.exe - Trojan:Win32/Tapaoux.A
<file name>.sys - VirTool:WinNT/Tapaoux.A
Examples of the file names created are "actmove", "appned" and "qernet". Trojan:Win32/Tapaoux.A drops and launches a batch script file in the current folder named "delus.bat" which deletes the dropper itself and launches the dropped EXE file. The registry is modified to run the dropped EXE file component at each Windows start.
Adds value: "<name>"
With data: "<file name.exe>"
To subkey: HKCU\Software\Microsoft\CurrentVersion\Run
Trojan:Win32/Tapaoux.A creates and loads a system device driver service for the dropped .SYS file component. The service name could be "KeyDrvClass". The trojan injects code into "svchost.exe" and "explorer.exe" to load the dropped .DLL component.
Trojan:Win32/Tapaoux.A attempts to determine if the system is running within a virtual environment, such as Virtual PC, VMware and others, and if so, terminates. Additionally the trojan terminates if the following security-related processes are found running on the system:
Trojan:Win32/Tapaoux.A attempts to suspend the following security-related threads:
Allows remote access and control
Trojan:Win32/Tapaoux.A connects to remote servers to report its infection and retrieve commands from a remote attacker. Observed examples of server connection domains include "dailysummary.net" and "somus.net". At the time of this writing, specific subdirectories of the sites were unavailable. Commands supported by the trojan include the following:
- List any specific directory and upload the result to the remote server
- Upload any file to the remote server.
- Execute a specified command on infected machine
- Download and execute any file(s) from the remote server
Analysis by Shawn Wang
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).