Home / malware Trojan:Win32/Tracur.AU
First posted on 05 November 2012.
Source: MicrosoftAliases :
Trojan:Win32/Tracur.AU is also known as TR/Barys.6082.773 (Avira), Trojan/Win32.Casu (AhnLab), Trojan-Dropper.Win32.Clons.rmt (Kaspersky).
Explanation :
Trojan:Win32/Tracur.AU is a trojan that redirects web searches and may download and run arbitrary files.
It is a member of the Win32/Tracur family of trojans.
Installation
Trojan:Win32/Tracur.AU is dropped and run by another piece of malware, called a "loader", which is also detected as Trojan:Win32/Tracur.AU.
The loader drops Trojan:Win32/Tracur.AU as a DLL file with a random name into a folder in %LOCALAPPDATA%. It creates the folder by using the names of existing folders, as in the following examples:
- %LOCALAPPDATA%\Local AppWizard-Generated Applications\ztqtolqs.dll
- %LOCALAPPDATA%\Microsoft\nlpvosgf.dll
Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local".
Trojan:Win32/Tracur.AU modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware's sub-folder>"
With data: "rundll32.exe "%LOCALAPPDATA%\<malware's sub-folder>\<random>.dll",<export function>"
where <export function> is a function defined in the DLL's code, for example:
- CheckCTCRCVersion
- TX-Export
- mpegInVideoAuxinfo
The following is an example of the modified registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Local AppWizard-Generated Applications"
With data: "rundll32.exe "C:\Users\<user>\AppData\Local\Local AppWizard-Generated Applications\ztqtolqs.dll", CheckCTCRCVersion"
When run, Trojan:Win32/Tracur.AU loads the dropped DLL.
Payload Redirects user searches
Trojan:Win32/Tracur.AU redirects searches you make in the following search engines:
- AOL
- Bing
- Yahoo
Contacts remote host
Trojan:Win32/Tracur.AU may contact the following remote hosts:
- 199.71.233.126
- 83.133.127.200
- cms.abmr.net
The trojan contacts these hosts to determine the addresses to redirect your searches to. However, the trojan may also contact these hosts for the following purposes:
Additional information
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data or browsing activity taken from your computer
Trojan:Win32/Tracur.AU creates a mutex with a random GUID as its name, possibly as an infection marker to prevent multiple instances running on your computer, for example:
- {437E2C19-A2E9-859E-3CE7-A178DEFBBCA9}
- {A3AC9628-2432-34FC-AC06-04E04050F2DC}
- {84B016AA-E679-0362-D199-416162D379A2}
The trojan may also modify the following registry entry, possibly to store additional configuration details or information about the malware:
In subkey: HKCU\Software\<randomly chosen existing folder name>
Sets value: "<random GUID>"
With data: "<encrypted data>"
For example:
In subkey: HKCU\Software\Intel
Sets value: "{6C2A9407-A1A1-6264-1411-DAA157C1708D}"
With data: "<encrypted data>"
Related encyclopedia entries
Win32/Tracur
Analysis by Rex Plantado
Last update 05 November 2012
