The Ticno trojan dupes recipients via a phony "save" dialog box.
The Ticno trojan dupes recipients via a phony "save" dialog box.

A new trojan dupes victims into installing malicious payloads with a popup screen that mimics a Windows "save" dialog box.

Detected earlier this month by Dr.Web, a Russian anti-virus vendor, the downloader arrives packaged with other software corrupted by cybercriminals in so-called affiliate programs.

Once installed, the trojan, dubbed Trojan.Ticno.1537, scans the device to make certain it is not a virtual machine used by researchers to capture malware. Additionally, it checks user and computer names, programs being run, as well as examining folders and verifies if the system is running perl or python. If so, the trojan launches Windows Explorer and ceases operation.

Should the malware not detect anything suspicious, it saves the file 1.zip on the disk.

That's when the popup is displayed that appears to be a standard "save" dialog box, familiar to MS Windows users. However, should a user click on the link, Trojan.Ticno.1537 offers up a variety of programs poised to load onto the computer. Legitimate applications, such as the Amigo browser, are bundled in with the malware, likely another way for the creators to earn income via affiliate programs.

Another click begins the download and install of a number of unwanted adware programs and a Google Chrome extension that also delivers ads – even after the trojan has been deleted from a computer. 

"The most interesting feature of this trojan pack is probably the Trojan.ChromePatch.1," Kirill Kozhevnikov, PR manager at Dr.Web, told SC Media on Wednesday. "It's not the first time trojans did something like this, but this is what people should know about since the advertising injected by this adware may persist after the trojan itself is removed."

The malware cunningly replaces comments in resources.pak used by the Chrome browser so that the file size remains unchanged, Kozhevnikov said. "It's an interesting way to hide the planted advertisement almost inside the browser itself."