Follow:

 

Trojan:Win32/Tapaoux.A


Trojan:Win32/Tapaoux.A is a trojan that attempts to terminate security-related services and allows remote access and control of an affected computer.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:Win32/Tapaoux.A is a trojan that attempts to terminate security-related services and allows remote access and control of an affected computer.
Installation
This trojan may be downloaded and installed by other malware such as TrojanDownloader:Win32/Doutrad.A. Trojan:Win32/Tapaoux.A installs the following components into the Windows system folder:
 
<file name>.dllTrojan:Win32/Tapaoux.A
<file name>.exe - Trojan:Win32/Tapaoux.A
<file name>.sys - VirTool:WinNT/Tapaoux.A
 
Examples of the file names created are "actmove", "appned" and "qernet". Trojan:Win32/Tapaoux.A drops and launches a batch script file in the current folder named "delus.bat" which deletes the dropper itself and launches the dropped EXE file. The registry is modified to run the dropped EXE file component at each Windows start.
 
Adds value: "<name>"
With data: "<file name.exe>"
To subkey: HKCU\Software\Microsoft\CurrentVersion\Run
 
Trojan:Win32/Tapaoux.A creates and loads a system device driver service for the dropped .SYS file component. The service name could be "KeyDrvClass". The trojan injects code into "svchost.exe" and "explorer.exe" to load the dropped .DLL component.
 
Trojan:Win32/Tapaoux.A attempts to determine if the system is running within a virtual environment, such as Virtual PC, VMware and others, and if so, terminates. Additionally the trojan terminates if the following security-related processes are found running on the system:
ollydbg.exe
filemon.exe
regmon.exe
icesword.exe
idag.exe
ethereal.exe
pslist.exe
Payload
Suspends threads
Trojan:Win32/Tapaoux.A attempts to suspend the following security-related threads:
 
AVGIDSAgent.exe
AVGIDSMonitor.exe
 
Allows remote access and control
Trojan:Win32/Tapaoux.A connects to remote servers to report its infection and retrieve commands from a remote attacker. Observed examples of server connection domains include "dailysummary.net" and "somus.net". At the time of this writing, specific subdirectories of the sites were unavailable. Commands supported by the trojan include the following:
  • List any specific directory and upload the result to the remote server
  • Upload any file to the remote server.
  • Execute a specified command on infected machine
  • Download and execute any file(s) from the remote server
Additional Information
For more information about VirTool:WinNT/Tapaoux.A, see the description elsewhere in the encyclopedia.
 
Analysis by Shawn Wang

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.71.936.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Dec 16, 2009
This entry was first published on: Dec 30, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Agent.IJA (Command)
  • BackDoor.Generic12.QZL (AVG)
  • BackDoor.Siggen.5050 (Dr.Web)
  • Trojan.Win32.Tapaoux (Ikarus)
  • Backdoor.Win32.Tusha.cv (Kaspersky)
  • TROJ_DROP.GSD (Trend Micro)