W32/Tepfer.D8A1

Posted: August 29, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	7

First Seen:	August 29, 2013
Last Seen:	October 18, 2020
OS(es) Affected:	Windows

W32/Tepfer.D8A1 is a Trojan that spreads via a spear FTP phishing attack. W32/Tepfer.D8A1 is able to target numerous organizations. Such attacks are considered as a part of APTs (Advanced Persistent Threats), which aim to get a foothold in the network of an organization. W32/Tepfer.D8A1 is distributed via spam emails carrying malicious file attachments, detected as W32/Tepfer.D8A1. W32/Tepfer.D8A1 targets FTP clients. FTP clients are used in many corporations for secure file transferring, and the malware infection is basically targeting these to steal any sensitive information. W32/Tepfer.D8A1 steals user information from FTP software using certain Windows API functions. W32/Tepfer.D8A1 aims to download malicious files from the certain URLs. W32/Tepfer.D8A1 saves the downloaded executable files to the Temporary folder, then executes them. W32/Tepfer.D8A1 eliminates itself from the current folder. W32/Tepfer.D8A1 aims to steal stored account information or credentials of particular applications. The stolen information is then transmitted by W32/Tepfer.D8A1 to one of the certain URLs.W32/Tepfer.D8A1 arrives packaged with UPX and, once unpacked, it has its own mechanisms in place to block emulation. W32/Tepfer.D8A1 gathers details of an affected host's FTcP servers. W32/Tepfer.D8A1 watches for many popular FTP programs, which include Ghisler's Windows and Total Commander, FireZilla, GlobalSCAPE CuteFTP, Far FTP, WS_FTP and FlashFXP. For CuteFTP W32/Tepfer.D8A1 queries the Windows Registry. By searching for CuteFTP's .dat file (sm.dat - site manager data file), W32/Tepfer.D8A1 can conceal CuteFTP Pro, CuteFTP and CuteFTP Lite. W32/Tepfer.D8A1 also conceals CuteFTP's QCToolbar versions 6, 7 and 8 for both Home and Professional editions by querying the QCHistory registry entries. To acquire FTP details W32/Tepfer.D8A1 queries the Windows Registry for the path of either an .ini or .dat file. W32/Tepfer.D8A1 can also query for the actual host, username and password linked to the certain FTP client application via registry subkeys. Also, whenever possible W32/Tepfer.D8A1 also checks the ShSpecialFolder for the existence of known FTP client directories and then manually searches for both the .ini and .dat files. W32/Tepfer.D8A1 looks for specific directories using CSIDL values. W32/Tepfer.D8A1 may display a firewall alert that an executable is attempting to connect to the Internet. cotemplate:aliases]

Technical Details

Additional Information

The following URL's were detected:

http://[Removed]-law.com/f6gGoc.exehttp://[Removed]bowling.com/9zifqS.exehttp://[Removed]house.net/ponyb/gate.phphttp://[Removed]kiddoh.com/ponyb/gate.phphttp://[Removed]walla.com/ponyb/gate.phphttp://toft[Removed]school.co.uk/iF5DFSZ.exe

W32/Tepfer.D8A1

Threat Metric

Technical Details

Additional Information

Leave a Reply