W32/Tepfer.D8A1

W32/Tepfer.D8A1 is an FTP Trojan that is distributed via a spear FTP phishing attack. W32/Tepfer.D8A1 affects numerous organizations. Such attacks are known as a component of APTs (Advanced Persistent Threats), which strive to obtain a foothold in the network of an organization. W32/Tepfer.D8A1 propagates via spam emails containing malevolent file attachments found as W32/Tepfer.D8A1. W32/Tepfer.D8A1 affects FTP clients. FTP clients are used in numerous corporations for safe file transmission, and the malware threat is basically attacking them to steal any sensitive details. W32/Tepfer.D8A1 steals user information from FTP software using specific Windows API functions. W32/Tepfer.D8A1 strives to download malevolent files from the particular web addresses. W32/Tepfer.D8A1 saves the dropped executable files to the Temporary folder, then runs them. W32/Tepfer.D8A1 deletes itself from the current folder. W32/Tepfer.D8A1 strives to steal stored account information or credentials of specific programs. The stolen information is then transferred by W32/Tepfer.D8A1 to one of the particular web addresses.

W32/Tepfer.D8A1 comes packed with UPX and, when unpacked, it has its own mechanisms in place to restrict emulation. W32/Tepfer.D8A1 grabs information of an attacked host's FTP servers. W32/Tepfer.D8A1 watches for many well-known FTP applications, which involve Ghisler's Windows and Total Commander, FireZilla, GlobalSCAPE CuteFTP, Far FTP, WS_FTP and FlashFXP. W32/Tepfer.D8A1 queries the Windows Registry for CuteFTP. By looking for the .dat file (sm.dat - site manager data file) of CuteFTP, W32/Tepfer.D8A1 can disguise CuteFTP Pro, CuteFTP and CuteFTP Lite. W32/Tepfer.D8A1 also disguises CuteFTP's QCToolbar versions 6, 7 and 8 for both Home and Professional editions by querying the QCHistory registry entries. To get FTP details W32/Tepfer.D8A1, queries the Windows Registry for the path of either an .ini or .dat file. W32/Tepfer.D8A1 can also query for the actual host, username and password associated with the particular FTP client program via registry subkeys. Also, whenever possible, W32/Tepfer.D8A1 also checks the ShSpecialFolder for the occurrence of identified FTP client directories and then manually looks for both the .ini and .dat files. W32/Tepfer.D8A1 looks for certain directories using CSIDL values. W32/Tepfer.D8A1 may show a firewall alert that an executable is attempting to connect to the Internet. Executable files of W32/Tepfer.D8A1 may exist in the Temporary folder.