|
| Home > Security Response > Virus Information |
| |
| Win-Dropper/Tuotu.2941638 |
| |
|
| |
 |
|
| System Risk |
Network Risk |
Spread Risk |
Current Spread Level |
| Medium |
N/A |
N/A |
N/A
|
|
|
|
| Aliases |
|
| Primary Symptoms |
File, |
|
|
| Infected OS |
Windows |
Infected Route |
File Execution |
| Kind |
Spyware |
Infected Type |
Executable File |
| Origin |
Unknown |
Specific Working Date |
N/A
|
| Date Discovered |
(local time) |
Date Discovered in Korea |
|
| AhnLab's Countermeasure |
You can scan this virus with Engine version 2008.06.11.00
You can cure this virus with Engine version 2008.06.11.00
|
|
 |
|
|
Summary
Win-Dropper/Tuotu.2941638 is a Dropper that installs and excutes other spyware programs.
Content
[Folder and File]
The following is Folders and Files that Win-Dropper/Tuotu.2941638 creates.
%PFDIR%\Tuotu\ (Folder)
%PFDIR%\Tuotu\atl71.dll
%PFDIR%\Tuotu\dat\ (Folder)
%PFDIR%\Tuotu\dat\ed2k\ (Folder)
%PFDIR%\Tuotu\dat\ed2k\cryptkey.dat
%PFDIR%\Tuotu\dat\ed2k\downloads.txt
%PFDIR%\Tuotu\dat\ed2k\known2_64.met
%PFDIR%\Tuotu\dat\ed2k\nodes.dat
%PFDIR%\Tuotu\dat\ed2k\nodes.dat.bak
%PFDIR%\Tuotu\dat\ed2k\preferences.ini
%PFDIR%\Tuotu\dat\ed2k\server.met
%PFDIR%\Tuotu\dat\ed2k\server.met.bak
%PFDIR%\Tuotu\dat\localSnap\ (Folder)
%PFDIR%\Tuotu\dat\logs\ (Folder)
%PFDIR%\Tuotu\dat\met\ (Folder)
%PFDIR%\Tuotu\dat\setupol_3012.exe
%PFDIR%\Tuotu\dat\UAD.dat
%PFDIR%\Tuotu\dat\UID.DAT
%PFDIR%\Tuotu\dat\UPnPDef.xml
%PFDIR%\Tuotu\emule.dll
%PFDIR%\Tuotu\Incoming\ (Folder)
%PFDIR%\Tuotu\lang_dll.dll
%PFDIR%\Tuotu\live\ (Folder)
%PFDIR%\Tuotu\live\RealMediaSplitter.axx
%PFDIR%\Tuotu\TcpCrack_2.exe
%PFDIR%\Tuotu\temp\ (Folder)
%PFDIR%\Tuotu\TT_all.htm
%PFDIR%\Tuotu\TT_one.htm
%PFDIR%\Tuotu\Tuotu.exe
%PFDIR%\Tuotu\TuotuHelper_v8.dll
%PFDIR%\Tuotu\uninstall.exe
%PROGRAMS%\****\ (Folder)
%PROGRAMS%\****\**********
%PROGRAMS%\****\****
%PROGRAMS%\****\**
[Registry]
The following is Registry keys that Win-Dropper/Tuotu.2941638 creates.
HKCR\AppID\TuoTu.dll
HKCR\AppID\{90A52F08-64AC-4DC6-9D7D-4516670275D3}
HKCR\CLSID\{0BECAB3A-E1F8-45E6-8332-38DD750EBA01}
HKCR\CLSID\{51E442DE-0693-4724-BF89-C0711DD2C12F}
HKCR\CLSID\{EA6506CE-9663-4855-99E2-29D989F6CA17}
HKCR\ed2k\shell\open\command\C:\Program Files\Tuotu\TuoTu.exe
"{***}"="%PFDIR%\Tuotu\TT_one.htm"
HKCR\Interface\{D348CFFC-627C-4F74-A350-60962E845037}
HKCR\Interface\{F2BF93D7-05C4-4FB1-9612-12103A1E13D5}
HKCR\Interface\{F2BF9AD7-05C4-4FB1-9612-12103A1E13D5}
HKCR\TuoTuHelper.LDown
HKCR\TuoTuHelper.LDown.1
HKCR\TuoTuHelper.RDown
HKCR\TuoTuHelper.RDown.1
HKCR\TuoTuHelper.TTDownMgr
HKCR\TuoTuHelper.TTDownMgr.1
HKCR\TypeLib\{03F011BF-C14B-43FC-9BDC-5387F737F2D1}
HKCU\SOFTWARE\TuoTu
HKLM\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\Tuotu
A dropper contains a malicious program such as virus, worm or spyware. The dropper installs the program in a specific directory and executes it. A dropper disguises as a normal program to entice the user to execute it, or it is executed by other malicious codes and spyware.
? Depending on the MS Windows version, %PROGRAMS% folder's location may differ. Generally, following is the path:
Windows 9x/ME - C:\Windows\StartMenu\Program
Windows NT/2000/XP - C:\Documents and Settings\%USER%\StartMenu\Program
? %PFDIR% folder is employed to install programs. Users can change the location of the folder. Following is the path generally used:
C:\Program Files
|
|
 |
|
