Win32/TrojanDownloader.Tracur [Threat Name] go to Threat

Win32/TrojanDownloader.Tracur.D [Threat Variant Name]

Category trojan
Size 792576 B
Aliases TrojanDownloader:Win32/Tracur.X (Microsoft)
Short description

Win32/TrojanDownloader.Tracur.D is a trojan that changes results of online search engines.

Installation

When executed, the trojan copies itself into the following location:

  • %currentfolder%\­msiexec.exe
  • %system%\­%variable1%32.exe

The trojan creates the following files:

  • %sysdir%\­%variable2%32.dll (443392 B, Win32/TrojanDownloader.Tracur.D)

The trojan may create copies of itself using the following filenames:

  • %appdata%\­%variable1%32.exe

The trojan registers itself as a system service using a random filename.


The trojan executes the following commands:

  • netsh.exe firewall add allowedprogram "program=%system%\­%variable1%32.exe" name="Windows Update Service" mode=ENABLE scope=ALL profile=ALL
  • netsh.exe advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="program=%system%\­%variable1%32.exe" enable=yes profile=domain

The performed command creates an exception in the Windows Firewall.


The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­CLSID\­%variable3%]
  • [HKEY_CLASSES_ROOT\­.fsharproj\­PersistentHandler]
    • "(Default)" = "%variable4%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "XMLHTTP_UUID_Default" = "%variable5%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­%variable5%]
  • [HKEY_CLASSES_ROOT\­CLSID\­%variable5%\­InprocServer32]
    • "(Default)" = "%system%\­%variable2%32.dll"
    • "ThreadingModel" = "Both"
  • [HKEY_CLASSES_ROOT\­%variable6%\­CLSID]
    • "(Default)" = "%variable3%"
  • [HKEY_USERS\­%variable7%\­Software\­%variable6%\­CLSID]
    • "{Default}" = "%variable3%"
  • [HKEY_USERS\­%variable7%\­Software\­Microsoft\­Internet Explorer\­Main]
    • "XMLHTTP_UUID_Default" = "%variable5%"

The trojan may create the following files:

  • %profilefolder%\­Application Data\­Mozilla\­Firefox\­Profiles\­%variable8%.default\­extensions\­{%variable4%}\­install.rdf (771 B)
  • %profilefolder%\­Application Data\­Mozilla\­Firefox\­Profiles\­%variable8%.default\­extensions\­{%variable4%}\­defaults\­preferences\­xulcache.js (256 B)
  • %profilefolder%\­Application Data\­Mozilla\­Firefox\­Profiles\­%variable8%.default\­extensions\­{%variable4%}\­chrome\­xulcache.jar (1672 B, JS/Agent.NDJ trojan)
  • %profilefolder%\­Application Data\­Mozilla\­Firefox\­Profiles\­%variable8%.default\­extensions\­{%variable4%}\­chrome.manifest (134 B, Win32/TrojanDownloader.Tracur.F)
  • %profilefolder%\­Local Settings\­Application Data\­Google\­Chrome\­User Data\­Default\­Default\­%variable9%\­manifest.json (244 B)
  • %profilefolder%\­Local Settings\­Application Data\­Google\­Chrome\­User Data\­Default\­Default\­%variable10%\­contentscript.js (4308 B, Win32/TrojanDownloader.Tracur.F)

A string with variable content is used instead of %variable1-10% .


The trojan registers the file %system%\%variable2%32.dll as a Browser Helper Object module in Internet Explorer .


The trojan registers the file %profilefolder%\Application Data\Mozilla\Firefox\Profiles\%variable8%.default\extensions\{%variable4%}\chrome\xulcache.jar as a Firefox Add-On module in Mozilla Firefox .


The trojan registers the file %profilefolder%\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\%variable10%\contentscript.js as a Chrome Extension module in Google Chrome .


Other information

Win32/TrojanDownloader.Tracur.D is a trojan that changes results of online search engines.


The trojan interferes with communication when any of the following sites is accessed:

  • ask.com
  • snap.com
  • hotbot.com
  • gigablast.com
  • alltheweb.com
  • altavista.com
  • search.lycos.com
  • bing.com
  • search.netscape.com
  • search.aol.com
  • search.yahoo.com
  • youtube.com/results
  • google.

The trojan can redirect results of online search engines to web sites that contain adware.


The trojan contains a list of (6) URLs.


It tries to download a file from the addresses. The HTTP protocol is used.


The file is stored in the following location:

  • %system%\­%existingfilename%32.dll

The file is then executed.


Please enable Javascript to ensure correct displaying of this content and refresh this page.