Home / malware Trojan:Win32/Tracur.Y
First posted on 13 April 2012.
Source: MicrosoftAliases :
Trojan:Win32/Tracur.Y is also known as Trojan.AVKill.8499 (Dr.Web), Trojan-Downloader.Win32.Tracur (Ikarus), Trojan.Win32.Menti.hkfc (Kaspersky).
Explanation :
Trojan:Win32/Tracur.Y is a trojan that downloads and executes arbitrary files.
Top
Trojan:Win32/Tracur.Y is a trojan that downloads and executes arbitrary files.
Installation
When executed, Trojan:Win32/Tracur.Y drops the following files:
- <system folder>\<random string>32.exe, for example "authz32.exe" - copy of itself
- <system folder>\<random string>32.dll, for example "authz32.dll" - detected as Trojan:Win32/Tracur.Q
where <random string> is a randomly-generated string.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It then installs its dropped DLL file as a BHO, for example:
In subkey: HKLM\SOFTWARE\Classes\CLSID\{0676AFA4-30CB-42C2-9713-1A5946D947C7}\InprocServer32
Sets value: "(default)"
With data: "<system folder>\authz32.dll"
It also creates a mutex named "Mutex_<random 10 letters>" as part of its installation routine.
Payload
Downloads and executes arbitrary files
Trojan:Win32/Tracur.Y attempts to connect to the following IP address to downloads arbitrary files:
- 91.217.153.48
Analysis by Wei Li
Last update 13 April 2012
