Home / malwarePDF  

Win32/Tracur


First posted on 12 July 2011.
Source: SecurityHome

Aliases :

There are no other names known for Win32/Tracur.

Explanation :

Win32/Tracur is a detection for the trojan family Tracur that downloads and executes arbitrary files, redirects web search queries to a malicious URL and may also install other malware.
Top

Win32/Tracur is a detection for the trojan family Tracur that downloads and executes arbitrary files, redirects web search queries to a malicious URL and may also install other malware.



Installation

Win32/Tracur may drop several modified copies of itself as the following:

  • <system folder>\<ExistingDLLName>32.exe


Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

In the wild, we have observed the trojan using the following file names:

  • hal32.dll
  • olecli3232.dll
  • olecli3232.exe
  • authz32.dll


On rebooting, Win32/Tracur makes the following changes to the registry to ensure that the malware DLL is executed each time a specified parent-process is launched:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_Dlls"
With data: "<system folder>\<ExistingDLLName>32.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<Key>
Sets value: "DllName"
With data: "<system folder>\<ExistingDLLName>32.dll"

Where <key> is derived from the infected computer's volume serial number (for example, acc0e9de849 and acc0e9de1018).

Once the above registry entries have been created, the malware DLL loads.

The malware checks if the parent-process is one of the following:

  • explorer.exe
  • winlogon.exe
  • iexplore.exe
  • firefox.exe
  • opera.exe
  • chrome.exe


If the above are not identified as a parent-process, the malware will exit.

Win32/Tracur may create the following events and mutex to ensure that only one copy of the threat runs on infected the computer at any one time:

  • 6003E92E5B1-D6FE-4804-9E28-FEF7FA8750A44592
  • C21234D3-5CC2-4bdd-9BE7-82A34EF3FAE0
  • F90C5025-8C4C-4605-84D2-C798A4BCD209849


The malware may install one of the dropped files as a Browser Helper Object (BHO) by adding the following registry entries:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{<CLSID value>}\InProcServer32
Sets value: "(default)"
With data: "<system folder>\<ExistingDLLName>32.dll"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<CLSID value>}
Sets value: "NoExplorer"
With data: "1"

In the wild, we have observed <CLSID value> to have the value {05C378E0-9FB2-4EFD-985A-276C6C8C623b} or {55A59ADA-4ABD-99C6-4018-99A9B02C7123}. However, it may vary.



Payload

Drops other malware

Many variants of Win32/Tracur may drop other malware, detected as Win32/Dursg,as one of the following:

  • %APPDATA%\syswin\lsass.exe
  • %APPDATA%\systemproc\lsass.exe
  • %APPDATA%\system\lsass.exe


Win32/Tracur will then make the following change to the registry to ensure that the Win32/Dursg variant executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "RTHDBPL"
With data: "%APPDATA%\syswin\lsass.exe"

For more details, please see the description for Win32/Dursg elsewhere in the encyclopedia.

Redirects web searches

Win32/Tracur monitors the user's web browsing and may redirect web searched to a malicious URL when one of the following search engines are used:

  • Google
  • Yahoo
  • AOL
  • Ask
  • Bing


In addition to the search engines listed above, some variants may also redirect searchers for the following:

  • Snap
  • Hotbot
  • Gigablast
  • Lycos
  • Altavista
  • Alltheweb
  • Netscape
  • Youtube


Allows backdoor access and control

Win32/Tracur attempts to connect to a server via a random TCP port and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:

  • Download and execute arbitrary files
  • Control the web browser redirection parameters


Modifies Windows Firewall settings

Win32/Tracur may use the <system folder>\netsh.exe Windows utility to add malware to the exceptions list by making the following changes to the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "<system folder>\<ExistingDLLName>32.exe"
With data: "<system folder>\<ExistingDLLName>32.exe:*:enabled:windows update service"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<system folder>\<ExistingDLLName>32.exe"
With data: "<system folder>\<ExistingDLLName>32.exe:*:enabled:windows update service"



Analysis by Rodel Finones

Last update 12 July 2011

 

TOP

Malware :