SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Tepfer.ADQC (high risk alert)

SonicWALL wants to make you aware of the " Tepfer.ADQC" virus that is spreading across the Internet. A high risk alert has been issued for this threat.


Description


Tepfer.ADQC is an infostealer that usually spreads via spam Emails with malicious attachments. Upon execution they mine the victim machine for vital inforamtion, they download and execute different trojan variants and execute them on the victim machine

File Related Changes
It drops the following file(s) on the system:
  • "c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EQUQ9Q00\dotp10[1].exe"
  • "c:\Users\Admin\AppData\Local\Temp\lrtsdnn.exe"
  • "c:\Users\Admin\AppData\Local\Temp\jkgfddk.exe"
  • "c:\Users\Admin\AppData\Local\Temp\TOVA7DA.bat"
  • "c:\Users\Admin\AppData\Roaming\Fecyz\qimexe.exe"

Process Related Changes
It creates the following mutex(es):
  • "Global\{BA78B64B-4ED8-EC72-FA3A-B06ED20F9373}"
  • "IESQMMUTEX_0_208"

It creates the following process(es):
  • C:\Users\Admin\AppData\Roaming\Fecyz\qimexe.exe
  • C:\Users\Admin\AppData\Local\Temp\lrtsdnn.exe
  • C:\Users\Admin\AppData\Local\Temp\jkgfddk.exe
  • C:\Windows\system32\cmd.exe

It injects malicious code into the following process(es):
  • "C:\Windows\system32\taskhost.exe"
  • "C:\Windows\system32\Dwm.exe"
  • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"

Network Activity
It attempts to connect to the following remote servers:
  • kwaggle.com:443 (64.50.1xxxxxx)
  • certrevoc.vo.msecnd.net:80 (157.56.xxxxxx)

We observed the following DNS query/queries:
  • kwaggle.com
  • mscrl.microsoft.com
  • crl.microsoft.com
  • www.download.windowsupdate.com

Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\qimexe = C:\Users\Admin\AppData\Roaming\Fecyz\qimexe.exe



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.6 | S2MSW02