Win32/TrojanDownloader.Tracur [Threat Name] go to Threat
Win32/TrojanDownloader.Tracur.D [Threat Variant Name]
Category | trojan |
Size | 792576 B |
Aliases | TrojanDownloader:Win32/Tracur.X (Microsoft) |
Short description
Win32/TrojanDownloader.Tracur.D is a trojan that changes results of online search engines.
Installation
When executed, the trojan copies itself into the following location:
- %currentfolder%\msiexec.exe
- %system%\%variable1%32.exe
The trojan creates the following files:
- %sysdir%\%variable2%32.dll (443392 B, Win32/TrojanDownloader.Tracur.D)
The trojan may create copies of itself using the following filenames:
- %appdata%\%variable1%32.exe
The trojan registers itself as a system service using a random filename.
The trojan executes the following commands:
- netsh.exe firewall add allowedprogram "program=%system%\%variable1%32.exe" name="Windows Update Service" mode=ENABLE scope=ALL profile=ALL
- netsh.exe advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="program=%system%\%variable1%32.exe" enable=yes profile=domain
The performed command creates an exception in the Windows Firewall.
The following Registry entries are created:
- [HKEY_CLASSES_ROOT\CLSID\%variable3%]
- [HKEY_CLASSES_ROOT\.fsharproj\PersistentHandler]
- "(Default)" = "%variable4%"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "XMLHTTP_UUID_Default" = "%variable5%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%variable5%]
- [HKEY_CLASSES_ROOT\CLSID\%variable5%\InprocServer32]
- "(Default)" = "%system%\%variable2%32.dll"
- "ThreadingModel" = "Both"
- [HKEY_CLASSES_ROOT\%variable6%\CLSID]
- "(Default)" = "%variable3%"
- [HKEY_USERS\%variable7%\Software\%variable6%\CLSID]
- "{Default}" = "%variable3%"
- [HKEY_USERS\%variable7%\Software\Microsoft\Internet Explorer\Main]
- "XMLHTTP_UUID_Default" = "%variable5%"
The trojan may create the following files:
- %profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\install.rdf (771 B)
- %profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\defaults\preferences\xulcache.js (256 B)
- %profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\chrome\xulcache.jar (1672 B, JS/Agent.NDJ trojan)
- %profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\chrome.manifest (134 B, Win32/TrojanDownloader.Tracur.F)
- %profilefolder%\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\%variable9%\manifest.json (244 B)
- %profilefolder%\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\%variable10%\contentscript.js (4308 B, Win32/TrojanDownloader.Tracur.F)
A string with variable content is used instead of %variable1-10% .
The trojan registers the file %system%\%variable2%32.dll as a Browser Helper Object module in Internet Explorer .
The trojan registers the file %profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\chrome\xulcache.jar as a Firefox Add-On module in Mozilla Firefox .
The trojan registers the file %profilefolder%\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\%variable10%\contentscript.js as a Chrome Extension module in Google Chrome .
Other information
Win32/TrojanDownloader.Tracur.D is a trojan that changes results of online search engines.
The trojan interferes with communication when any of the following sites is accessed:
- ask.com
- snap.com
- hotbot.com
- gigablast.com
- alltheweb.com
- altavista.com
- search.lycos.com
- bing.com
- search.netscape.com
- search.aol.com
- search.yahoo.com
- youtube.com/results
- google.
The trojan can redirect results of online search engines to web sites that contain adware.
The trojan contains a list of (6) URLs.
It tries to download a file from the addresses. The HTTP protocol is used.
The file is stored in the following location:
- %system%\%existingfilename%32.dll
The file is then executed.