Win32/TrojanDownloader.Tracur [Threat Name] go to Threat

Win32/TrojanDownloader.Tracur.AM [Threat Variant Name]

Category trojan
Size 268800 B
Detection created Oct 01, 2014
Detection database version 10495
Aliases Trojan:Win32/Chroject.D!dll (Microsoft)
  TR/Tracur.A.6311 (Avira)
Short description

Win32/TrojanDownloader.Tracur.AM is a trojan which tries to download other malware from the Internet. The trojan is usually a part of other malware.

Installation

When executed, the trojan copies itself into the following location:

  • %localappdata%\­%existingfolder%\­%variable2%\­Application Data\­%variable1%.dll

A string with variable content is used instead of %variable1-5% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%system%\­regsvr32.exe /s "%localappdata%\­%existingfolder%\­%variable2%\­Application Data\­%variable1%.dll""
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%system%\­regsvr32.exe /s "%localappdata%\­%existingfolder%\­%variable2%\­Application Data\­%variable1%.dll""

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • autoruns
  • filemon
  • joeboxcontrol
  • joeboxserver
  • procexp
  • procmon
  • regmon
  • sniff_hit
  • sysAnalyzer
  • VBoxService
  • vboxtray
  • vmount2
  • vmsrvc
  • vmusrvc
  • vmware
  • wireshark
  • xenservice

The trojan creates the following files:

  • %localappdata%\­%exisitngfolder%\­%variable3%\­%variable4%\­%variable5%.js (5680 B)
  • %localappdata%\­%existingfolder%\­%variable3%\­%variable4%\­manifest.json (199 B)

The trojan installs browser extensions for the following browsers:

  • Google Chrome

The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe

The trojan terminates its execution if it detects that it's running in a specific virtual environment. The trojan launches the following processes:

  • %system%\­regsvr32.exe /s "%malwarefilepath%"

The trojan may execute the following commands:

  • %system%\­regsvr32.exe /s /u "%malwarefilepath%"
  • cmd.exe /c start regsvr32.exe "%malwarefilepath%"
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (7) URLs. The trojan generates various URL addresses. The HTTP protocol is used.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • http://www.update.microsoft.com/

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • modify the content of websites

The trojan hooks the following Windows APIs:

  • CreateWindowExW (user32.dll)
  • GetAddrInfoW (ws2_32.dll)
  • GetCursorPos (user32.dll)
  • GetMessagePos (user32.dll)
  • GetMessageW (user32.dll)
  • GetSaveFileNameW (comdlg32.dll)
  • GetTempPathW (kernel32.dll)
  • GetWindowPlacement (user32.dll)
  • GetWindowRect (user32.dll)
  • MessageBoxExW (user32.dll)
  • MoveWindow (user32.dll)
  • PeekMessageW (user32.dll)
  • SetCursor (user32.dll)
  • SetFocus (user32.dll)
  • SetForegroundWindow (user32.dll)
  • SetWindowPlacement (user32.dll)
  • SetWindowPos (user32.dll)
  • SetWindowTextW (user32.dll)
  • ShellExecuteExW (shell32.dll)
  • SHGetFolderPathW (shell32.dll)
  • waveOutWrite (winmm.dll)

The trojan may display the following messages:

Please enable Javascript to ensure correct displaying of this content and refresh this page.