Home / malware Trojan-Downloader:W32/Tracur.J
First posted on 14 May 2010.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:W32/Tracur.J.
Explanation :
A trojan that secretly downloads malicious files from a remote server, then installs and executes the files.
Additional DetailsTrojan-Downloader:W32/Tracur.J identifies a malicious DLL file that installs a malicious plug-in for the Internet Explorer and/or Mozilla Firefox web browsers in order to redirect searches to an unsolicited website.
This file is probably dropped by a separate dropper program.
Installation
The DLL file is registered as a Browser Helper Object (BHO) with the Internet Explorer web browser. If the Mozilla Firefox web browser is installed, the file will also install a malicious extension (the browser's equivalent of a BHO) for Firefox.
Activity
Once installed, the BHO in either web browser will redirect searches made using various search engines to:
€ http://74.50.[...].107
The site may host more malicious content.
The list of targeted search engines is hard-coded; targeted search engines are:
€ Ask € Snap € Hotbot € Gigablast € Alltheweb € Altavista € Lycos € AOL € Bing € Yahoo! € Google
Registry Changes
During installation, Tracur.J creates the following registry keys:
€ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989A5447-1A50-4D02-BA55-724A516C1370} Â Ã‚ Ã‚ Ã‚ Ã‚ Ã‚ Ã‚ Ã‚ € HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{989A5447-1A50-4D02-BA55-724A516C1370} € HKEY_CLASSES_ROOT\CLSID\{989A5447-1A50-4D02-BA55-724A516C1370} € HKEY_CLASSES_ROOT\.fsharproj € HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharprojLast update 14 May 2010