Trojan.PWS.Tupai.A
SYMPTOMS: presence of setupapi.dll in Internet Explorer folderTECHNICAL DESCRIPTION: The file is usually dropped in Internet Explorer folder under the name of setupapi.dll. The trojan is used to steal passwords to ftps servers. In order to get access to this information it searches for well known ftp programs installed on the client’s computer and depending on what program is installed it tries to decrypt passwords and addresses of ftp servers. After the decryption is complete it encrypts it using its own algorithm and sends the data to http://85.225.[hidden].198/ftpg/ftp.php. The following programs are vulnerable: SecureFx IpSwitch FTPWare FileZilla Total Commander BulletProof Ftp GlobalScape Ftp CoffeCup Fp Ftp Commander Pro Smart Ftp Leap Ftp Far Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Mihai Razvan Benchea, virus researcher |
