La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Adware.Mac.Tuguu.1

Aggiunto al database dei virus Dr.Web: 2015-11-06

La descrizione è stata aggiunta:

SHA1

  • 1b41c5e14f17d3a695c94fcbe696294ec0bc96f2 (dmg)
  • a6a6d0050d9ac5d69eef7228cfd0fb4480e06bb1 (mach-o)

An installer of unwanted applications that targets OS X. Once launched, it reads the ".payload” file in the application folder. The installer also contains another "payload” file, but it is not used. The file looks as follows:

host|hex-encoded json

JSON format:

{
 "publisher": "790",
 "uid": "14375585952507RhhhlENdR",
 "campaign": "1882", 
 "extra": {
      "ttbpromo": "DDL", 
      "ttbaff": "54ec7d5f5f1c1e2452000008", 
      "nrid": "14375585952507RhhhlENdR", 
      "ip": "213.***.**.60", 
      "tt": "aac2d73c437d76f03ba0609d4e2a6bcae556aa8e", 
      "ttbtt": "ddl", 
      "lpd": "www.best*****pp.com", 
      "ttbhash": "IP1lNCYV", 
      "requestHost": "admin.best*****file.com", 
      "ttbvar": "", 
      "referer": "", 
      "build": "469", 
      "time": "2015/07/22 10:49:55", 
      "ttbts": "55759fba5f1c1e6c39000000", 
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
      "fileName": "MPlayer", 
      "osVersion": "0", 
      "os": "MacOSX", 
      "browser": "ch"
 }, 
 "url": "", 
 "usedBrowser": "ch", 
 "sign": "sm1",
 "caption": "", 
 "host": "domain.com", 
 "carrier": "FastPlayerMac"
}

Once launched, the installer replaces a subdomain of the C&C server with the “api” value. For instance, if in the configuration file the URL is admin.best*****file.com, the address of the C&C server will beapi.best*****file.com".

In order to get the list of applications for download prompting, the installer creates URL and encrypts it using the key randomly generated. For encryption the AES algorithm is used in СВС mode. Then, the following line is created:

hexencode(iv+key+encoded_url)

After that, the following request is made:

http://api.<domen>/<hexencoded>

The node URL from which the applications will be downloaded is created the following way:

http://api.<domen>/stan/api/<publisher>/<campaign>/<carrier>/<language>/<region>/?browser=<browser>&ip=<ip>

The following fields are retrieved from the configuration file:

publisher
campaign
carrier
ip
browser

The following values can be used as a parameter of the “browser” variable:

 ["ff", "ch", "sf","op"]

The rest fields are updated with data that is identified based on the operation system parameters.

The server response is also encrypted with the key included in the installer’s body and contains the programs list which can be downloaded to the user’s Mac. The response has the following main fields:

  • id - an identifier of the installed application. There are minimum 736 applications judging by the existing ids.
  • score - the “rate” of an application. Since the maximum number of applications that can be prompted to install is limited, every application gets some “rate”. Then the installer tries to create an optimal list of compatible software with the highest “rate”.
  • appUrl - the address for file download.
  • restrictions - the id list of those applications that cannot be installed along with the current one. For example, the MacKeeper application will not be installed along with the MacKeeper Grouped application.

For every application, three fields that contain JavaScript encrypted with Base64 are determined:

  • preCheck - checks if the application is already installed;
  • macBehavior - the code for installation;
  • postCheck - checks if the installation was completed successfully.

The installation dialog has the Custom Installation mode, which shows check boxes that allow to refuse all the additional software.

screen Adware.Mac.Tuguu.1 #drweb

News about this threat

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android