Spyware.TupInsight

Infection Length: 2,223,616 bytes
Name: TupInsight
Version: 3
Publisher: Tup Software Ltd.
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Behavior
Spyware.TupInsight is a spyware program that monitors user activity on the Internet.

The program can be downloaded from www.tupsoft.com and must be manually installed.

When the program is installed, it creates the following files:

%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\data1.cab
%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\data1.hdr
%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\data2.cab
%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\ikernel.ex_
%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\layout.bin
%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\Setup.exe
%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\Setup.ini
%UserProfile%\Local Settings\Temp\[RANDOM FOLDER NAME].tmp\Disk1\setup.inx
C:\Documents and Settings\All Users\Start Menu\Programs\Tupsoft TupInsight\Console.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Tupsoft TupInsight\User Guide.lnk
%ProgramFiles%\WinPcap\daemon_mgm.exe
%ProgramFiles%\WinPcap\INSTALL.LOG
%ProgramFiles%\WinPcap\npf_mgm.exe
%ProgramFiles%\Tupsoft\TupInsight\Console\ACM.exe
%ProgramFiles%\Tupsoft\TupInsight\Console\ACM.INI
%ProgramFiles%\Tupsoft\TupInsight\Console\CommClient.dll
%ProgramFiles%\Tupsoft\TupInsight\Console\Console.ldb
%ProgramFiles%\Tupsoft\TupInsight\Console\Console.mdb
%ProgramFiles%\Tupsoft\TupInsight\Console\DbBak\DbBak_[DATE]
%ProgramFiles%\Tupsoft\TupInsight\Console\DbBak\DbBak_[DATE]
%ProgramFiles%\Tupsoft\TupInsight\Console\FileTranClient.dll
%ProgramFiles%\Tupsoft\TupInsight\Console\RAClient.dll
%ProgramFiles%\Tupsoft\TupInsight\Console\Tips.ini
%ProgramFiles%\Tupsoft\TupInsight\Console\TupInsight.chm
%ProgramFiles%\Tupsoft\TupInsight\Engine\CommServer.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\Data.ldb
%ProgramFiles%\Tupsoft\TupInsight\Engine\Data.mdb
%ProgramFiles%\Tupsoft\TupInsight\Engine\Engine.ini
%ProgramFiles%\Tupsoft\TupInsight\Engine\Engine.ldb
%ProgramFiles%\Tupsoft\TupInsight\Engine\Engine.mdb
%ProgramFiles%\Tupsoft\TupInsight\Engine\FileLib.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\FileTranServer.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\Ftp.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\Http.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\Local.ini
%ProgramFiles%\Tupsoft\TupInsight\Engine\log\TupInsight.log
%ProgramFiles%\Tupsoft\TupInsight\Engine\PacketCap.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\PopMail.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\PortMonitor.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\RAClient.dll
%ProgramFiles%\Tupsoft\TupInsight\Engine\RAServer.exe
%ProgramFiles%\Tupsoft\TupInsight\Engine\TupInsight.exe
%ProgramFiles%\Tupsoft\TupInsight\Engine\TupInsightService.exe
%ProgramFiles%\Tupsoft\TupInsight\Engine\zlib.dll
%System%\Microsoft\Protect\S-1-5-18\User\5b0a07e4-e65a-411f-8685-ec62ce9d0efa
%System%\WinWsExt.ini
%Windir%\Temp\[RANDOM FILE NAME].tmp

The program then creates the following folder:

%ProgramFiles%\installshield installation information\{89CA9704-64BD-4620-8BB3-CA3F4C937034}

It also creates the following registry subkeys:

HKEY_CLASSES_ROOT\WsSysSet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WsSysSet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Tupsoft TupInsight
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TupInsightCaptureEngine
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TupInsightCaptureEngine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TupInsightCaptureEngine
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS

The program registers itself as a system service with the following characteristics:

Display Name: TupInsightCaptureEngine
Image Path: C:\Program Files\Tupsoft\TupInsight\Engine\TupInsightService.exe
Description: Network monitoring and management

The program consists of the following two components:
-A monitoring and logging engine that runs in stealth mode
-A console for retrieval of logs by a remote attacker

The program allows the following information to be logged and subsequently retrieved:
-Web sites visited
-Chat sessions
-Files transferred
-Email sent and received
-Games played


Removal

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Navigate to and delete the following registry subkeys:

HKEY_CLASSES_ROOT\WsSysSet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WsSysSet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Tupsoft TupInsight
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TUPINSIGHTCAPTUREENGINE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TupInsightCaptureEngine
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TupInsightCaptureEngine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TupInsightCaptureEngine
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Classes\WsSysSet\WsSysInfoExt
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89CA9704-64BD-4620-8BB3-CA3F4C937034}
HKEY_CURRENT_USER\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS


Restore the following registry subkey to its previous value, if required:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst

Exit the Registry Editor.

Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.