Home / malwarePDF  

Trojan:Win32/Tracur


First posted on 20 November 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Tracur.

Explanation :

Threat behavior

Installation

Win32/Tracur can be distributed via exploit kits, like Blacole; downloaders, like TrojanDownloader:Win32/Karagany.A; or through social engineering.

Win32/Tracur drops a file with a randomly generated file name into one of the following locations:

  • %USERPROFILE% \Local Settings\Application History\Identities\<random>.dll
  • %USERPROFILE% \AppData Roaming\HP\<random>.dll
  • %USERPROFILE% \Local Settings\Application Data\<already existing folder>\<random>.dll


We have seen the following file names used:

  • qkhfyjds.dll
  • sdifypfol.dll
  • wkhnzka.dll
  • yqpsrrxwz.dll
  • ytcxc.dll


Win32/Tracur changes the following registry entry to ensure it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(Default)"
With data: "rundll32.exe "<location and name of dropped file>",<export function>", for example "rundll32.exe "%USERPROFILE%\AppData Roaming\HP\qkhfyjds.dll",DllRegisterServerW"

Win32/Tracur can drop several changed copies of itself to these folders:

  • <system folder> \<existing DLL name>32.exe
  • <system folder> \<existing DLL name>32.dll


where <existing DLL name> refers to any existing Windows DLL file located in the system folder, for example C:\Windows\System32\olecli3232.exe.

In the wild, we have observed the trojan using the following file names:

  • authz32.dll
  • hal32.dll
  • olecli3232.dll
  • olecli3232.exe


The trojan may drop changed copies of itself as DLL files into a folder path that the trojan creates by combining the names of two folders in the %LOCALAPPDATA% or %APPDATA% folders, in the following format:

  • %LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll
  • %APPDATA% \<second folder>\<first folder>\<random>.dll


For example, if %LOCALAPPDATA% contains a folder called Microsoft and a folder called Netscape, the DLL would be dropped in either one of the following folders:

  • C:\Users\<user>\AppData\Local\Microsoft\Netscape\dwnxzmqxa.dll
  • C:\Users\<user>\AppData\Local\Netscape\Microsoft\dwnxzmqxa.dll


In the wild , we have observed the DLL with the following random file names:

  • dwnxzmqxa.dll
  • egavp.dll
  • goqkcl.dll
  • hbpfdb.dll
  • mvljo.dll
  • onduhznwf.dll
  • qseinzzqz.dll
  • skorlmnjq.dll
  • sshnkky.dll


Each time you start your PC, Win32/Tracur makes changes to the registry to ensure that the malware DLL is run each time one of these browsers is run as a parent=process:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe


If any one of the above are not identified as a running parent-process, the malware will exit.

The following are the changes that the malware makes to the registry to ensure the DLL is run:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_Dlls"
With data: "<system folder>\<existing DLL name>32.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<key>
Sets value: "DllName"
With data: "<system folder>\<existing DLL name>32.dll"

where <key> is derived from your PC's volume serial number (for example, acc0e9de849 and acc0e9de1018).

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%APPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll",DllRegisterServer"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%APPDATA%\<first folder>\<second folder>\<random>.dll",DllRegisterServer"

where <malware value> is the same as <second folder>, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe "C:\Users\<user>\AppData\Local\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe"C:\Users\<user>\AppData\Roaming\Microsoft\Ares\dwnxzmqxa.dll",DllRegisterServer"

The trojan also creates the following registry entry, possibly as an infection marker in order to prevent multiple instances of the malware from running and arousing suspicion:

In subkey: HKCU\Software\<mutex name>\CLSID, for example "HKCU\Software\bwukqmmsyf\CLSID"
Sets value: "(Default)"
With data: "<random globally unique identifier>", for example "{7d5b4281-35a1-4e0f-9c1d-cca2b6f45d50}"

Win32/Tracur can create the following events and mutexes with randomly generated names to ensure that only one copy of the threat runs on your PC at any one time:

  • 6003E92E5B1-D6FE-4804-9E28-FEF7FA8750A44592
  • bwukqmmsyf
  • C21234D3-5CC2-4bdd-9BE7-82A34EF3FAE0
  • dmxkwuuwjr
  • F90C5025-8C4C-4605-84D2-C798A4BCD209849


The malware can install one of the dropped files as a Browser Helper Object (BHO) by adding the following registry entries:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{<CLSID value>}\InProcServer32
Sets value: "<default>"
With data: "<system folder>\<existing DLL name>32.dll"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<CLSID value>}
Sets value: "NoExplorer"
With data: "1"

In the wild, we have observed <CLSID value> to have the value {05C378E0-9FB2-4EFD-985A-276C6C8C623b} or {55A59ADA-4ABD-99C6-4018-99A9B02C7123}. However, it may vary.

Payload

Redirects web searches

Win32/Tracur monitors your web browsing and may redirect web searches to a malicious URL when one of the following search engines is used:

  • Alltheweb
  • Altavista
  • AOL
  • Ask
  • Bing
  • Gigablast
  • Google
  • Hotbot
  • Lycos
  • Netscape
  • Snap
  • Yahoo
  • Youtube


Members of the Win32/Tracur do this redirection by sending the keywords you entered into the search site to another server (called a "command and control" or "C&C" server). This server sends the URL it wants your browser to go to back to your PC. The sites themselves vary, and you may experience one of the following situations:

  • You are redirected to where you intended to go
  • You are redirected to a site that is very similar to where you intended to go
  • You go to a "landing page" which has a number of links that you can click on, that may then take you to where you intended to go
  • You are redirected to a random site that is not at all where you were intending to go
  • You are redirected to a broken link and end up at an error page


To aid in its search-redirection payload, some variants install a Firefox browser extension by dropping a JAR archive file, with an .xpi extension, as follows:

<Firefox profile>\<profile name>\extensions\<random>@<random>.org.xpi

Notes:

  • <Firefox profile> is taken from the profile paths of different user accounts that the trojan retrieves from the following registry entry:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user ID>\ProfileImagePath
    where <user ID> refers to your account identifier, for example "S-15-18"
  • <profile name> refers to the name of your Firefox profile, and may consist of letters and numbers
  • <random> contains ten randomly generated characters, for example "idirktvriu@idirktvriu.org.xpi"


The Firefox browser extension contains another JAR archive file, for example printing.jar or doance.jar, that contains a malicious JavaScript file overlay.xul, detected as Trojan:JS/Tracur.E.

Win32/Tracur also installs an extension into the Google Chrome browser by dropping a file into a randomly named folder in the Chrome profile folder, for example:

%LOCALAPPDATA% \Google\Chrome\user data\Default\Default\aadhdhdjgddbdfddgcdjggdededagbdf\contentscript.js

lets backdoor access and control

Variants of Win32/Tracur try to connect to a server via a random TCP port and wait for commands. Using this backdoor, an attacker can do a number of actions on your PC, including the following:

  • Download and run arbitrary files
  • Control how the redirection payload happens


We have observed it trying to connect to the server 184.173.<removed>.54.

Drops other malware

Older variants of Win32/Tracur may also drop other malware, detected as a variant of the Win32/Dursg family, as one of the following:

  • %APPDATA% \system\lsass.exe
  • %APPDATA% \systemproc\lsass.exe
  • %APPDATA% \syswin\lsass.exe


Note that lsass.exe is also the name used by a legitimate Windows file. It is located by default in <system folder> so if you find a file named lsass.exe elsewhere, that file might be malware.

Win32/Tracur will then make the following change to the registry to ensure that the Win32/Dursg variant runs at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "RTHDBPL"
With data: "%APPDATA%\syswin\lsass.exe"

Changes Windows Firewall settings

Variants may use the <system folder>\netsh.exe Windows utility to add malware to the Windows Firewall exceptions list by making the following changes to the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "<system folder>\<existing DLL name>32.exe"
With data: "<system folder>\<existing DLL name>32.exe:*:enabled:windows update service"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<system folder>\<existing DLL name>32.exe"
With data: "<system folder>\<existing DLL name>32.exe:*:enabled:windows update service"

Further reading
  • July MSRT on web redirector malware http://blogs.technet.com/b/mmpc/archive/2011/07/28/july-msrt-on-web-redirector-malware.aspx
  • MSRT July 2011: Targeting web redirector malware http://blogs.technet.com/b/mmpc/archive/2011/07/12/msrt-july-2011-targeting-web-redirector-malware.aspx


Related encyclopedia entries

Win32/Dursg

Trojan:JS/Tracur.E

TrojanDownloader:Win32/Karagany.A



Analysis by Rodel Finones and Nikola Livic

Symptoms

The following could indicate that you have this threat on your PC:

  • After clicking on search results, you are taken to a site you were not expecting or intending to go to

Last update 20 November 2013

 

TOP

Malware :