Home / malwarePDF  

TrojanDownloader:Win32/Tracur.AK


First posted on 13 April 2012.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Tracur.AK.

Explanation :

TrojanDownloader:Win32/Tracur.AK is a trojan that redirects user searches from legitimate search sites to malicious websites. It is installed as a Browser Helper Object (BHO) in Internet Explorer.


Top

TrojanDownloader:Win32/Tracur.AK is a trojan that redirects user searches from legitimate search sites to malicious websites. It is installed as a Browser Helper Object (BHO) in Internet Explorer.



Installation

Upon execution, TrojanDownloader:Win32/Tracur.AK drops the following DLL on the affected computer:

\Documents and Settings\<User Name>\Local Settings\Application Data\ identities\identities\<malware name>.dll

Note: <malware name> refers to 5-8 random characters, for example "vubjh.dll".

It then installs this DLL as a Browser Helper Object (BHO) by making a number of changes to the registry, for example:

In subkey: HKCU\Software\Hdzxfocezu\CLSID
Sets value: "(Default)"
With data: "(Class ID)" (for example, {653ec1c6-1a34-438d-8892-75c5d3a6f587})

Note: {653ec1c6-1a34-438d-8892-75c5d3a6f587} is an example of a Class ID generated in our test environment. This value is different for each computer it is generated on.

The trojan makes the following changes to the registry to ensure its execution at each Windows start:

In subkey: HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
With data: "rundll32.exe "c:\documents and settings\administrator\application data\identities\identities\vubjh.dll",dllregisterserver"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
With data: "rundll32.exe "c:\documents and settings\administrator\application data\identities\identities\vubjh.dll",dllregisterserver"



Payload

Redirects user searches

The Browser Helper Object (BHO) installed by TrojanDownloader:Win32/Tracur.AK serves to redirect searches when the following search engines are requested by the user:

  • Alltheweb.com
  • Altavista.com
  • AOL
  • Ask
  • Bing
  • Gigablast.com
  • Google
  • Hotbot.com
  • Lycos.com
  • Netscape.com
  • Snap.com
  • Yahoo


Search results may be redirected to the IP address "184.173.181.54".



Analysis by Wei Li

Last update 13 April 2012

 

TOP

Malware :

Family: