Win32/Dursg [Threat Name] go to Threat

Win32/Dursg.A [Threat Variant Name]

Category trojan
Size 50176 B
Detection created Dec 26, 2009
Signature database version 10081
Aliases P2P-Worm.Win32.Agent.aak (Kaspersky)
  W32.SillyP2P (Symantec)
  Trojan:Win32/Dursg.C (Microsoft)
Short description

Win32/Dursg.A is a trojan that redirects results of online search engines to web sites that contain adware. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­SystemProc\­lsass.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RTHDBPL" = "%appdata%\­SystemProc\­lsass.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RTHDBPL" = "%appdata%\­SystemProc\­lsass.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "RTHDBPL" = "%appdata%\­SystemProc\­lsass.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Identities]
    • "Curr version" = "%variable1%"
    • "Last Date" = "%variable2%"
    • "Send Inst" = "%variable3%"
    • "Inst Date" = "%variable4%"
    • "Popup count" = "%variable5%"
    • "Popup time" = "%variable6%"
    • "Popup date" = "%variable7%"

A string with variable content is used instead of "%variable1-7%" .


The trojan may create the following files:

  • %programfiles%\­Mozilla Firefox\­extensions\­{9CE11043-9A15-4207-A565-0C94C42D590D}\­chrome\­content\­timer.xul
  • %programfiles%\­Mozilla Firefox\­extensions\­{9CE11043-9A15-4207-A565-0C94C42D590D}\­chrome.manifest
  • %programfiles%\­Mozilla Firefox\­extensions\­{9CE11043-9A15-4207-A565-0C94C42D590D}\­install.rdf

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Other information

Win32/Dursg.A is a trojan that redirects results of online search engines to web sites that contain adware.


The trojan changes information related to the following services:

  • google.com
  • yahoo.com
  • msn.com
  • bing.com
  • youtube.com

The following programs are affected:

  • Internet Explorer
  • Opera
  • Google Chrome
  • Mozilla Firefox

When the user enters certain keywords into the browser, the trojan displays adware websites related to them.


The following keywords are monitored:

  • airlines
  • amazon
  • antivir
  • antivirus
  • baby
  • bank
  • bany
  • baseball
  • books
  • cars
  • casino
  • cialis
  • cigarettes
  • comcast
  • craigslist
  • credit
  • dating
  • design
  • diet
  • doctor
  • dvd
  • ebay
  • estate
  • fashion
  • film
  • finance
  • flights
  • flower
  • footbal
  • football
  • gambling
  • game
  • gifts
  • golf
  • graphic
  • health
  • hotel
  • insurance
  • iphone
  • ipod
  • job
  • loan
  • loans
  • medical
  • military
  • mobile
  • money
  • mortgage
  • movie
  • music
  • myspace
  • pharma
  • pocker
  • poker
  • porn
  • school
  • sex
  • shop
  • software
  • sport
  • spybot
  • spyware
  • trading
  • tramadol
  • travel
  • twitter
  • verizon
  • video
  • virus
  • vocations
  • wallpaper
  • weather
  • yobt

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "RTHDBPL" = "%malwarepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RTHDBPL" = "%malwarepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RTHDBPL" = "%malwarepath%"

The trojan may create copies of itself in the folder:

  • C:\­program files\­winmx\­shared\­
  • C:\­program files\­tesla\­files\­
  • C:\­program files\­limewire\­shared\­
  • C:\­program files\­morpheus\­my shared folder\­
  • C:\­program files\­emule\­incoming\­
  • C:\­program files\­edonkey2000\­incoming\­
  • C:\­program files\­bearshare\­shared\­
  • C:\­program files\­grokster\­my grokster\­
  • C:\­program files\­icq\­shared folder\­
  • C:\­program files\­kazaa lite k++\­my shared folder\­
  • C:\­program files\­kazaa lite\­my shared folder\­
  • C:\­program files\­kazaa\­my shared folder\­

Its filename may be one of the following:

  • [+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
  • [antihack tool] Trojan Killer v2.9.4173.exe
  • [Eni0j0 team] Vmvare keygen.exe
  • [Eni0j0 team] Windows 7 Ultimate keygen.exe
  • [fixed]RapidShare Killer AIO 2010.exe
  • [patched, serial not need] Nero 9.x keygen.exe
  • [patched, serial not needed] Absolute Video Converter 6.2-7.exe
  • [patched, serial not needed] PDF to Word Converter 3.4.exe
  • [patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe
    • Ad-aware 2010.exe
    • Adobe Acrobat Reader keygen.exe
    • Adobe Illustrator CS4 crack.exe
    • Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe
    • Alcohol 120 v1.9.x.exe
    • Anti-Porn v13.x.x.x.exe
    • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
    • AOL Instant Messenger (AIM) Hacker.exe
    • AOL Password Cracker.exe
    • Ashampoo Snap 3.xx [Skarleot Group].exe
    • Avast 4.x Professional.exe
    • Avast 5.x Professional.exe
    • BitDefender AntiVirus 2010 Keygen.exe
    • Blaze DVD Player Pro v6.52.exe
    • Brutus FTP Cracker.exe
    • CleanMyPC Registry Cleaner v6.02.exe
    • Counter-Strike Serial key generator [Miona patch].exe
    • Daemon Tools Pro 4.8.exe
    • DCOM Exploit archive.exe
    • DivX 5.x Pro KeyGen generator.exe
    • Divx Pro 7.x version Keymaker.exe
    • Download Accelerator Plus v9.2.exe
    • Download Boost 2.0.exe
    • DVD Tools Nero 10.x.x.x.exe
    • FTP Cracker.exe
    • G-Force Platinum v3.7.6.exe
    • Google SketchUp 7.1 Pro.exe
    • Grand Theft Auto IV [Offline Activation + mouse patch].exe
    • Half-Life 2 Downloader.exe
    • Hotmail Cracker [Brute method].exe
    • Hotmail Hacker [Brute method].exe
    • ICQ Hacker Trial version [brute].exe
    • Image Size Reducer Pro v1.0.1.exe
    • Internet Download Manager V5.exe
    • IP Nuker.exe
    • Kaspersky AntiVirus 2010 crack.exe
    • Kaspersky Internet Security 2010 keygen.exe
    • Keylogger unique builder.exe
    • K-Lite Mega Codec v5.2 Portable.exe
    • K-Lite Mega Codec v5.2.exe
    • L0pht 4.0 Windows Password Cracker.exe
    • LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
    • Magic Video Converter 8.exe
    • McAfee Total Protection 2010 [serial patch by AnalGin].exe
    • Microsoft Visual Basic KeyGen.exe
    • Microsoft Visual C++ KeyGen.exe
    • Microsoft Visual Studio KeyGen.exe
    • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
    • Motorola, nokia, ericsson mobil phone tools.exe
    • Mp3 Splitter and Joiner Pro v3.48.exe
    • MSN Password Cracker.exe
    • Myspace theme collection.exe
    • NetBIOS Cracker.exe
    • NetBIOS Hacker.exe
    • Norton Anti-Virus 2005 Enterprise Crack.exe
    • Norton Anti-Virus 2010 Enterprise Crack.exe
    • Norton Internet Security 2010 crack.exe
    • Password Cracker.exe
    • PDF password remover (works with all acrobat reader).exe
    • Power ISO v4.4 + keygen milon.exe
    • Rapidshare Auto Downloader 3.8.6.exe
    • sdbot with NetBIOS Spread.exe
    • Sophos antivirus updater bypass.exe
    • Sub7 2.5.1 Private.exe
    • Super Utilities Pro 2009 11.0.exe
    • Total Commander7 license+keygen.exe
    • Tuneup Ultilities 2010.exe
    • Twitter FriendAdder 2.3.9.exe
    • UT 2003 KeyGen.exe
    • VmWare 7.x keygen.exe
    • Website Hacker.exe
    • Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
    • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
    • Windows Password Cracker + Elar3 key.exe
    • Windows2008 keygen and activator.exe
    • WinRAR v3.x keygen [by HiXem].exe
    • Youtube Music Downloader 1.3.exe
    • YouTubeGet 5.6.exe

The trojan contains a list of (4) URLs. The trojan can download and execute a file from the Internet. The HTTP protocol is used.


The trojan launches the following processes:

  • c:\­autoexec.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.