W32/Tepfer.D8A1
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 3 |
First Seen: | August 29, 2013 |
Last Seen: | October 18, 2020 |
OS(es) Affected: | Windows |
W32/Tepfer.D8A1 is an FTP Trojan that is distributed via a spear FTP phishing attack. W32/Tepfer.D8A1 affects numerous organizations. Such attacks are known as a component of APTs (Advanced Persistent Threats), which strive to obtain a foothold in the network of an organization. W32/Tepfer.D8A1 propagates via spam emails containing malevolent file attachments found as W32/Tepfer.D8A1. W32/Tepfer.D8A1 affects FTP clients. FTP clients are used in numerous corporations for safe file transmission, and the malware threat is basically attacking them to steal any sensitive details. W32/Tepfer.D8A1 steals user information from FTP software using specific Windows API functions. W32/Tepfer.D8A1 strives to download malevolent files from the particular web addresses. W32/Tepfer.D8A1 saves the dropped executable files to the Temporary folder, then runs them. W32/Tepfer.D8A1 deletes itself from the current folder. W32/Tepfer.D8A1 strives to steal stored account information or credentials of specific programs. The stolen information is then transferred by W32/Tepfer.D8A1 to one of the particular web addresses.
W32/Tepfer.D8A1 comes packed with UPX and, when unpacked, it has its own mechanisms in place to restrict emulation. W32/Tepfer.D8A1 grabs information of an attacked host's FTP servers. W32/Tepfer.D8A1 watches for many well-known FTP applications, which involve Ghisler's Windows and Total Commander, FireZilla, GlobalSCAPE CuteFTP, Far FTP, WS_FTP and FlashFXP. W32/Tepfer.D8A1 queries the Windows Registry for CuteFTP. By looking for the .dat file (sm.dat - site manager data file) of CuteFTP, W32/Tepfer.D8A1 can disguise CuteFTP Pro, CuteFTP and CuteFTP Lite. W32/Tepfer.D8A1 also disguises CuteFTP's QCToolbar versions 6, 7 and 8 for both Home and Professional editions by querying the QCHistory registry entries. To get FTP details W32/Tepfer.D8A1, queries the Windows Registry for the path of either an .ini or .dat file. W32/Tepfer.D8A1 can also query for the actual host, username and password associated with the particular FTP client program via registry subkeys. Also, whenever possible, W32/Tepfer.D8A1 also checks the ShSpecialFolder for the occurrence of identified FTP client directories and then manually looks for both the .ini and .dat files. W32/Tepfer.D8A1 looks for certain directories using CSIDL values. W32/Tepfer.D8A1 may show a firewall alert that an executable is attempting to connect to the Internet. Executable files of W32/Tepfer.D8A1 may exist in the Temporary folder.
URLs
W32/Tepfer.D8A1 may call the following URLs:
http://[Removed]-law.com/f6gGoc.exe |
http://[Removed]bowling.com/9zifqS.exe |
http://[Removed]house.net/ponyb/gate.php |
http://[Removed]kiddoh.com/ponyb/gate.php |
http://[Removed]walla.com/ponyb/gate.php |
http://toft[Removed]school.co.uk/iF5DFSZ.exe |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.