Win32/TrojanDownloader.Tracur [Threat Name] go to Threat
Win32/TrojanDownloader.Tracur.AL [Threat Variant Name]
Category | trojan |
Size | 262144 B |
Aliases | Mal/Tracur-N (Sophos) |
Short description
Win32/TrojanDownloader.Tracur.AL is a trojan which tries to promote certain web sites.
Installation
The trojan is probably a part of other malware.
When executed, the trojan copies itself into the following location:
- %appdata%\%variable1%%variable2%\%variable1%%variable2%.dll
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%%variable2%.dll" = "%system32%\rundll32.exe "%appdata%\%variable1%%variable2%.dll",DllRegisterServer"
This causes the trojan to be executed on every system start.
The trojan may create the following folders:
- %appdata%\%variable3%%variable4%\
- %appdata%\%variable3%%variable4%\%variable5%%variable6%\
- %appdata%\%variable3%%variable4%\%variable7%%variable8%\
- %appdata%\%variable9%%variable10%\
- %appdata%\%variable9%%variable10%\Desktop\
- %appdata%\%variable9%%variable10%\My Documents\
- %appdata%\%variable9%%variable10%\Program Files\
- %appdata%\%variable9%%variable10%\Programs\
The trojan may create the following files:
- %appdata%\%variable3%%variable4%\%variable11%%variable12%.%variable13%
- %appdata%\%variable3%%variable4%\%variable7%%variable8%\%variable14%%variable15%.js
- %appdata%\%variable3%%variable4%\%variable7%%variable8%\manifest.json
- %appdata%\%variable9%%variable10%\Temp\etilqs_%variable16%
Win32/TrojanDownloader.Tracur.AL installs the following software:
- Google Chrome
The trojan creates the following files:
- %appdata%\%variable3%%variable4%\%variable5%%variable6%\browser.exe
- %appdata%\%variable3%%variable4%\%variable5%%variable6%\VisualElementsManifest.xml
- %appdata%\%variable3%%variable4%\%variable5%%variable6%\36.0.1985.143\%chromefiles%
- %appdata%\%variable9%%variable10%\Application Data\Google\Chrome\User Data\%chromefiles%
The %variable1,3,5,7,9,11,14% is one of the following strings:
- Browser
- Calculator
- Cotton
- Game
- Modulator
- Narrator
- Navigator
- Polyester
- Provider
- Receiver
- Supporter
- Sysutil
- Teller
- Tool
- UI
- Utility
- Validator
- Vinyl
- Volunteer
- Whisky
The %variable2,4,6,8,10,12,15% is one of the following strings:
- Assistant
- Beerware
- Gravity
- Higgs
- Humble
- Infinity
- Jawa
- Joint
- Medium
- Mobile
- Model
- Noteworthy
- Optional
- Pale
- Radio
- Software
- Sync
- Visual
- Voice
- Wireless
The %variable13% is one of the following strings:
- .bak
- .bin
- .cnf
- .conf
- .crx
- .dat
- .dta
- .ext
- .inf
- .ini
- .jrn
- .log
- .mod
- .nfo
- .opt
- .pac
- .pak
- .pkg
- .tar
- .tmp
Other information
The trojan quits immediately if it is run within a debugger.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- open a specific URL address