Malware can be distributed in a wide amount of ways and its developers never stop coming up with new methods. Now they’ve decided to spread their creations with the help of affiliate programs. They also use the tactics of bundling it with legitimate software. And today we’re going to talk about a threat called Ticno (Trojan.Ticno.1537).
It can’t be considered an average malware – for starters, it’s able to hide itself from anti-virus software and do so with great efficiency. It’s also not installed on just any computer – Ticno is able to tell the real PC from a virtual machine that’s built by security researchers for combating malware. Dr.Web has already conducted the research and found the processes that this malware targets. They are irise.exe, IrisSvc.exe, wireshark.exe, ZxSniffer.exe, Regshot.exe, ollydbg.exe, PEBrowseDbg.exe, Syser.exe, VBoxService.exe, VBoxTray.exe, SandboxieRpcSs.exe, SandboxieDcomLaunch.exe, windbg.exe, ollydbg.exe and vmtools.exe.
Registry keys are also of interest to Ticno – but not every one of them. Those are HKCU\Software\CommView, HKLM\SYSTEM\CurrentControlSet\Services\IRIS5, HKCU\Software\eEye Digital Security, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark, hklm\SOFTWARE\ZxSniffer, HKCU\Software\Win Sniffer, HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32, HKCU\Software\Syser Soft, hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions, HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuest, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie, HKCU\Software\Classes\Folder\shell\sandbox and HKCU\Software\Classes\*\shell\sandbox.
If Ticno is able to locate more than three of the aforementioned processes and registry keys, it stops them and then launches a Windows Explorer. And if the malware doesn’t find anything that may be determined suspicious, the “Save As” dialog box is opened and you’re asked to save a file on your computer called “1.zip”.
Of course, when something like this happens without any warning, it raises questions. Especially when a dialog box has something that it’s not supposed to have – a link which is called “Additional settings” in the bottom-left corner. If you click it, you’re presented with a list of programs that’re about to be installed on the PC.
And, of course, you shouldn’t do so because those programs don’t do anything good for the computer – they are adware and they make your system a host for all kinds of advertisements which is very detrimental to its performance. And the list of adware is not small, to say the least – it contains Trojan.ChromePatch.1, Trojan.Ticno.1548, Trojan.BPlug.1590, Trojan.Triosir.718, Trojan.Clickmein.1, and Adware.Plugin.1400. There are also the Amigo browser and [email protected] which were created by Mail.ru. The most logical explanation of them being there is that they’re a part of affiliate software installation scheme which allows the developers of Ticno to make good money. So “1.zip” shouldn’t be saved on the computer no matter what – the installation of adware begins immediately after and you don’t even need to unzip the archive to make it happen.