Win32/TrojanDownloader.Tracur [Threat Name] go to Threat

Win32/TrojanDownloader.Tracur.AL [Threat Variant Name]

Category trojan
Size 262144 B
Detection created Aug 25, 2014
Detection database version 10313
Aliases Mal/Tracur-N (Sophos)
Short description

Win32/TrojanDownloader.Tracur.AL is a trojan which tries to promote certain web sites.

Installation

The trojan is probably a part of other malware.


When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%%variable2%\­%variable1%%variable2%.dll

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%%variable2%.dll" = "%system32%\­rundll32.exe "%appdata%\­%variable1%%variable2%.dll",DllRegisterServer"

This causes the trojan to be executed on every system start.


The trojan may create the following folders:

  • %appdata%\­%variable3%%variable4%\­
  • %appdata%\­%variable3%%variable4%\­%variable5%%variable6%\­
  • %appdata%\­%variable3%%variable4%\­%variable7%%variable8%\­
  • %appdata%\­%variable9%%variable10%\­
  • %appdata%\­%variable9%%variable10%\­Desktop\­
  • %appdata%\­%variable9%%variable10%\­My Documents\­
  • %appdata%\­%variable9%%variable10%\­Program Files\­
  • %appdata%\­%variable9%%variable10%\­Programs\­

The trojan may create the following files:

  • %appdata%\­%variable3%%variable4%\­%variable11%%variable12%.%variable13%
  • %appdata%\­%variable3%%variable4%\­%variable7%%variable8%\­%variable14%%variable15%.js
  • %appdata%\­%variable3%%variable4%\­%variable7%%variable8%\­manifest.json
  • %appdata%\­%variable9%%variable10%\­Temp\­etilqs_%variable16%

Win32/TrojanDownloader.Tracur.AL installs the following software:

  • Google Chrome

The trojan creates the following files:

  • %appdata%\­%variable3%%variable4%\­%variable5%%variable6%\­browser.exe
  • %appdata%\­%variable3%%variable4%\­%variable5%%variable6%\­VisualElementsManifest.xml
  • %appdata%\­%variable3%%variable4%\­%variable5%%variable6%\­36.0.1985.143\­%chromefiles%
  • %appdata%\­%variable9%%variable10%\­Application Data\­Google\­Chrome\­User Data\­%chromefiles%

The %variable1,3,5,7,9,11,14% is one of the following strings:

  • Browser
  • Calculator
  • Cotton
  • Game
  • Modulator
  • Narrator
  • Navigator
  • Polyester
  • Provider
  • Receiver
  • Supporter
  • Sysutil
  • Teller
  • Tool
  • UI
  • Utility
  • Validator
  • Vinyl
  • Volunteer
  • Whisky

The %variable2,4,6,8,10,12,15% is one of the following strings:

  • Assistant
  • Beerware
  • Gravity
  • Higgs
  • Humble
  • Infinity
  • Jawa
  • Joint
  • Medium
  • Mobile
  • Model
  • Noteworthy
  • Optional
  • Pale
  • Radio
  • Software
  • Sync
  • Visual
  • Voice
  • Wireless

The %variable13% is one of the following strings:

  • .bak
  • .bin
  • .cnf
  • .conf
  • .crx
  • .dat
  • .dta
  • .ext
  • .inf
  • .ini
  • .jrn
  • .log
  • .mod
  • .nfo
  • .opt
  • .pac
  • .pak
  • .pkg
  • .tar
  • .tmp
Other information

The trojan quits immediately if it is run within a debugger.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address

Please enable Javascript to ensure correct displaying of this content and refresh this page.