Win32/TrojanDownloader.Tracur [Threat Name] go to Threat

Win32/TrojanDownloader.Tracur.D [Threat Variant Name]

Category	trojan
Size	792576 B
Aliases	TrojanDownloader:Win32/Tracur.X (Microsoft)

Short description

Win32/TrojanDownloader.Tracur.D is a trojan that changes results of online search engines.

Installation

When executed, the trojan copies itself into the following location:

%currentfolder%\msiexec.exe
%system%\%variable1%32.exe

The trojan creates the following files:

%sysdir%\%variable2%32.dll (443392 B, Win32/TrojanDownloader.Tracur.D)

The trojan may create copies of itself using the following filenames:

%appdata%\%variable1%32.exe

The trojan registers itself as a system service using a random filename.

The trojan executes the following commands:

netsh.exe firewall add allowedprogram "program=%system%\%variable1%32.exe" name="Windows Update Service" mode=ENABLE scope=ALL profile=ALL
netsh.exe advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="program=%system%\%variable1%32.exe" enable=yes profile=domain

The performed command creates an exception in the Windows Firewall.

The following Registry entries are created:

[HKEY_CLASSES_ROOT\CLSID\%variable3%]
[HKEY_CLASSES_ROOT\.fsharproj\PersistentHandler]
- "(Default)" = "%variable4%"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "XMLHTTP_UUID_Default" = "%variable5%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%variable5%]
[HKEY_CLASSES_ROOT\CLSID\%variable5%\InprocServer32]
- "(Default)" = "%system%\%variable2%32.dll"
- "ThreadingModel" = "Both"
[HKEY_CLASSES_ROOT\%variable6%\CLSID]
- "(Default)" = "%variable3%"
[HKEY_USERS\%variable7%\Software\%variable6%\CLSID]
- "{Default}" = "%variable3%"
[HKEY_USERS\%variable7%\Software\Microsoft\Internet Explorer\Main]
- "XMLHTTP_UUID_Default" = "%variable5%"

The trojan may create the following files:

%profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\install.rdf (771 B)
%profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\defaults\preferences\xulcache.js (256 B)
%profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\chrome\xulcache.jar (1672 B, JS/Agent.NDJ trojan)
%profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\chrome.manifest (134 B, Win32/TrojanDownloader.Tracur.F)
%profilefolder%\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\%variable9%\manifest.json (244 B)
%profilefolder%\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\%variable10%\contentscript.js (4308 B, Win32/TrojanDownloader.Tracur.F)

A string with variable content is used instead of %variable1-10% .

The trojan registers the file %system%\%variable2%32.dll as a Browser Helper Object module in Internet Explorer .

The trojan registers the file %profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\chrome\xulcache.jar as a Firefox Add-On module in Mozilla Firefox .

The trojan registers the file %profilefolder%\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\%variable10%\contentscript.js as a Chrome Extension module in Google Chrome .

Other information

Win32/TrojanDownloader.Tracur.D is a trojan that changes results of online search engines.

The trojan interferes with communication when any of the following sites is accessed:

ask.com
snap.com
hotbot.com
gigablast.com
alltheweb.com
altavista.com
search.lycos.com
bing.com
search.netscape.com
search.aol.com
search.yahoo.com
youtube.com/results
google.

The trojan can redirect results of online search engines to web sites that contain adware.

The trojan contains a list of (6) URLs.

It tries to download a file from the addresses. The HTTP protocol is used.

The file is stored in the following location:

%system%\%existingfilename%32.dll

The file is then executed.