Trojan Horses Definitions(t) - TargetSaver

TargetSaver

Category: Trojan Downloader

Risk: High Risk

* High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May use a security flaw in the operating system to gain access to your computer.

Description: TargetSaver is a process run at Windows startup, which opens pop-ups. TargetSavers is generally bundled with another program, which usually discloses the fact that it is ad-supported. Users agree to have the Adware installed in the license agreement, although they may not realise at first that this file was packaged with the product they installed. TargetSaver opens pop-up advertising when targeted words appear in the page being viewed. TargetSaver.Tsa: first version, uses filenames ts.exe, tsl.exe and tsm.exe, stored in the Common Files folder. TargetSaver.Tsa2: revision using filenames ts2.exe, tsl2.exe, tsm2.exe and tsp2.exe, along with lock files held open. The program comes with a dropper file. When the dropper runs, the program is copied as the following file: c:\Program Files\Common Files\tsa\tsl.exe The following Registry key is added to hook system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Tsl" = "c:\Program Files\Common Files\tsa\tsl.exe" The program connects to a specific web site. It can further download other programs to the machine. It might also post machine related information to the website.

Alias: Trojan.Downloader.TSA, Uploader-R

Signatures:
process: tsl.exe: MD5 Hash:
process: tsm2.exe: MD5 Hash: 9cbbdf62b4393146300
process: tsp.exe: MD5 Hash: 709bc9e63132a991b83
process: ts.exe: MD5 Hash: f6ef453e17c1bca8ddf
process: tsl.exe: MD5 Hash: 299c7dfcc8765fca9df
process: tsm2.exe: MD5 Hash:
process: tsm.exe: MD5 Hash: 7ee4f24b504b4002a6a
process: tsinstall_4_0_3_7.exe: MD5 Hash: 39fd8562e4d14425653
process: tsl.exe: MD5 Hash: 07d13b63a094cb5be21
process: tsl.exe: MD5 Hash: bc47526879e30101de3
process: glf73glf73.exe: MD5 Hash: f5a1d6051492b40a770
process: tsl2.exe: MD5 Hash: 1EAE76A7536FA9AD860
process: tsinstall_4_0_3_7.exe: MD5 Hash: 39FD8562E4D14425653
process: tsinstall_4_0_3_8_b17.exe: MD5 Hash: 5686a76bb6c143a2c03
process: targetsaver.exe: MD5 Hash: 8e39aea2a30208045b9
process: glf31glf31.exe: MD5 Hash: 8e39aea2a30208045b9
process: 3p_2.exe: MD5 Hash: 3021207c4a2d1d02b02
process: tsm.exe: MD5 Hash: 94877a22d4410d7af01
process: tsl.exe: MD5 Hash: ac2ee59847530e03db5
process: ts.exe: MD5 Hash: 65eb6745b102445c314
process: tsp.exe: MD5 Hash: 964f620cecf1954871b
process: ts.exe: MD5 Hash: e2a64554d053d22e99f
process: tsm.exe: MD5 Hash: 2660ca1e862de7cc1f2
process: ts.exe: MD5 Hash: c4b0d13b6947c6960ed
process: tsm.exe: MD5 Hash: 628e60ef8699a08eb3b
process: tsl2.exe: MD5 Hash: 4d58aa9fc3eab7fcc8a
process: tsinstall_4_0_4_0_b4.exe: MD5 Hash: 37a21a936337efbdb04
process: ts.exe: MD5 Hash: d513c6e6ecd921dff95
process: tsuninst.exe: MD5 Hash:
process: tsinstall_4_0_4_0_b4.exe: MD5 Hash: 37a21a936337efbdb04
process: stub_113_4_0_4_0.exe: MD5 Hash: 527bbfaba4d6c900c7e
process: ouqma.exe: MD5 Hash: d89c1022e687d679350
process: ouqml.exe: MD5 Hash: 17499b1a15f4aebbb43
process: ouqmp.exe: MD5 Hash: 4579ce8dc4b5e1fc95a
process: tsupdate_4_0_3_9_b2.exe: MD5 Hash: 5e9e262599f0908a208
process: tsuninst.exe: MD5 Hash:
process: ouqmp.exe: MD5 Hash: 4579ce8dc4b5e1fc95a
process: ouqma.exe: MD5 Hash: d89c1022e687d679350
process: stub_113_4_0_4_0.exe: MD5 Hash: 527bbfaba4d6c900c7e
process: ouqml.exe: MD5 Hash: 17499b1a15f4aebbb43
process: hbinter.exe: MD5 Hash: 12f988ee11a4c9cd177
process: targetsaver.exe: MD5 Hash: f8e0afe12f5d9f9e45f..