Home / malware TrojanDownloader:Win32/Tracur.M
First posted on 25 February 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Tracur.M is also known as Win-Trojan/Xema.variant (AhnLab), W32/BZub.EAX (Norman), Trojan-Spy.Win32.Bzub (Ikarus), Adware/BHO (Panda), Trojan.Win32.Boaxxe.F (Sunbelt Software), Trojan.Vundo (Symantec), TROJ_VUNDO.KKY (Trend Micro).
Explanation :
TrojanDownloader:Win32/Tracur.M is a trojan that redirects user searches from legitimate search sites to a Web site that contains malware. It is installed as a Browser Helper Object (BHO) in Internet Explorer, and replaces Firefox Extension Settings files.
Top
TrojanDownloader:Win32/Tracur.M is a trojan that redirects user searches from legitimate search sites to a Web site that contains malware. It is installed as a Browser Helper Object (BHO) in Internet Explorer, and replaces Firefox Extension Settings files. InstallationWhen executed, TrojanDownloader:Win32/Tracur.M creates the following registry subkeys to register itself as a Browser Helper Object (BHO):HKCR\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69AE3232-53EF-44B0-B1E1-0821A0EE4998} HKCR\CLSID\{69AE3232-53EF-44B0-B1E1-0821A0EE4998}\InprocServer32\ If Firefox is installed in the system, TrojanDownloader:Win32/Tracur.M also installs itself as a Firefox extension by replacing the following files: %APPDATA%\Mozilla\Firefox\Profiles\install.rdf
%APPDATA%\Mozilla\Firefox\Profiles\chrome\xulcache.jar
%APPDATA%\Mozilla\Firefox\Profiles\chrome\chrome.manifest Payload Redirects user searchesTrojanDownloader:Win32/Tracur.M redirects searches when the following search engines are used: AOL
Ask
Bing
Yahoo! Searches to these sites are redirected to the IP address "74.50.117.107", which may contain other malware.
Analysis by Marian RaduLast update 25 February 2010
