Home / malwarePDF  

Trojan:Win32/Tracur.AI


First posted on 13 April 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Tracur.AI.

Explanation :

Trojan:Win32/Tracur.AI is a trojan that redirects user searches from legitimate search sites to malicious websites. It is installed as a Browser Helper Object (BHO) in Internet Explorer, and installs malicious Firefox and Google Chrome extensions.


Top

Trojan:Win32/Tracur.AI is a trojan that redirects user searches from legitimate search sites to malicious websites. It is installed as a Browser Helper Object (BHO) in Internet Explorer, and installs malicious Firefox and Google Chrome extensions.



Installation

Upon execution, Trojan:Win32/Tracur.AI drops the following DLL on the affected computer:

<system folder>\wscui32.dll

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

It then installs this DLL as a Browser Helper Object (BHO) by making a number of changes to the registry, for example:

In subkey: HKLM\SOFTWARE\Classes\CLSID \{03B3E7A7-B1AD-4997-8A29-2993F2249112}\InprocServer32
Sets value: "(Default)"
With data: <system folder>\wscui32.dll

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03B3E7A7-B1AD-4997-8A29-2993F2249112}
Sets value: "(Default)"
With data: " "

Note: {03B3E7A7-B1AD-4997-8A29-2993F2249112} is an example of a Class ID generated in our test environment. This value is different for each computer it is generated on.

If Firefox is installed in the computer, Trojan:Win32/Tracur.AI also installs a Firefox extension with the name "XUL Cache 1.0" by replacing or creating the following files:

  • %APPDATA%\Mozilla\Firefox\Profiles\.default\extensions\{CLSID}\install.rdf
  • %APPDATA%\Mozilla\Firefox\Profiles\.default\extensions\{CLSID}\chrome\xulcache.jar - detected as Trojan:JS/Tracur.gen!C
  • %APPDATA%\Mozilla\Firefox\Profiles\.default\extensions\{CLSID}\chrome.manifest
  • %APPDATA%\Mozilla\Firefox\Profiles\.default\extensions\{CLSID}\defaults\preferences\xulcache.js €“ detected as Trojan:JS/Tracur.B


Note: {CLSID} is a Class ID that differs for each computer on which it's generated.

If Google Chrome is installed, Tracur.AI creates an extension named "Default Extension" by modifying or creating the following files:

  • <user folder>\Local Settings\Application Data\Google\Chrome\User Data\Default\<random>\manifest.json
  • <user folder>\Local Settings\Application Data\Google\Chrome\User Data\Default\<random>\contentscript.js €“ detected as Trojan:JS/Tracur.C


Payload

Redirects user searches

The Browser Helper Object (BHO), and Firefox and Chrome extensions installed by Trojan:Win32/Tracur.AI serve to redirect searches when the following search engines are used by the user:

  • AOL
  • Alltheweb.com
  • Altavista.com
  • Ask
  • Bing
  • Gigablast.com
  • Google
  • Hotbot.com
  • Lycos.com
  • Netscape.com
  • Snap.com
  • Yahoo


Search results are redirected to the IP address "74.50.117.107", which may contain other malware.



Analysis by Amir Fouda

Last update 13 April 2012

 

TOP

Malware :

Family: