Updated: June 5, 2008 2:03:50 PM
Type: Spyware
Infection Length: 2,223,616 bytes
Name: TupInsight
Version: 3
Publisher: Tup Software Ltd.
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
The program can be downloaded from www.tupsoft.com and must be manually installed.
When the program is installed, it creates the following files:
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\data1.cab
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\data1.hdr
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\data2.cab
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\ikernel.ex_
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\layout.bin
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\Setup.exe
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\Setup.ini
- %UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\setup.inx
- C:\Documents and Settings\All Users\Start Menu\Programs\Tupsoft TupInsight\Console.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\Tupsoft TupInsight\User Guide.lnk
- %ProgramFiles%\WinPcap\daemon_mgm.exe
- %ProgramFiles%\WinPcap\INSTALL.LOG
- %ProgramFiles%\WinPcap\npf_mgm.exe
- %ProgramFiles%\Tupsoft\TupInsight\Console\ACM.exe
- %ProgramFiles%\Tupsoft\TupInsight\Console\ACM.INI
- %ProgramFiles%\Tupsoft\TupInsight\Console\CommClient.dll
- %ProgramFiles%\Tupsoft\TupInsight\Console\Console.ldb
- %ProgramFiles%\Tupsoft\TupInsight\Console\Console.mdb
- %ProgramFiles%\Tupsoft\TupInsight\Console\DbBak\DbBak_[DATE]
- %ProgramFiles%\Tupsoft\TupInsight\Console\DbBak\DbBak_[DATE]
- %ProgramFiles%\Tupsoft\TupInsight\Console\FileTranClient.dll
- %ProgramFiles%\Tupsoft\TupInsight\Console\RAClient.dll
- %ProgramFiles%\Tupsoft\TupInsight\Console\Tips.ini
- %ProgramFiles%\Tupsoft\TupInsight\Console\TupInsight.chm
- %ProgramFiles%\Tupsoft\TupInsight\Engine\CommServer.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Data.ldb
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Data.mdb
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Engine.ini
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Engine.ldb
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Engine.mdb
- %ProgramFiles%\Tupsoft\TupInsight\Engine\FileLib.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\FileTranServer.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Ftp.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Http.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\Local.ini
- %ProgramFiles%\Tupsoft\TupInsight\Engine\log\TupInsight.log
- %ProgramFiles%\Tupsoft\TupInsight\Engine\PacketCap.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\PopMail.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\PortMonitor.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\RAClient.dll
- %ProgramFiles%\Tupsoft\TupInsight\Engine\RAServer.exe
- %ProgramFiles%\Tupsoft\TupInsight\Engine\TupInsight.exe
- %ProgramFiles%\Tupsoft\TupInsight\Engine\TupInsightService.exe
- %ProgramFiles%\Tupsoft\TupInsight\Engine\zlib.dll
- %System%\Microsoft\Protect\S-1-5-18\User\5b0a07e4-e65a-411f-8685-ec62ce9d0efa
- %System%\WinWsExt.ini
- %Windir%\Temp\[RANDOM FILE NAME].tmp
The program then creates the following folder:
%ProgramFiles%\installshield installation information\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
It also creates the following registry subkeys:
- HKEY_CLASSES_ROOT\WsSysSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WsSysSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
- HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Tupsoft TupInsight
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TupInsightCaptureEngine
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TupInsightCaptureEngine
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TupInsightCaptureEngine
- HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet
- HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
- HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
- HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet
- HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
- HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
- HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS
The program registers itself as a system service with the following characteristics:
Display Name: TupInsightCaptureEngine
Image Path: C:\Program Files\Tupsoft\TupInsight\Engine\TupInsightService.exe
Description: Network monitoring and management
The program consists of the following two components:
- A monitoring and logging engine that runs in stealth mode
- A console for retrieval of logs by a remote attacker
The program allows the following information to be logged and subsequently retrieved:
- Web sites visited
- Chat sessions
- Files transferred
- Email sent and received
- Games played
Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
