Home / malware Trojan:Win32/Tracur.AV
First posted on 30 August 2012.
Source: MicrosoftAliases :
Trojan:Win32/Tracur.AV is also known as Win32/Kryptik.AIZP (ESET), TR/Tracur.AV.6 (Avira), Trojan.AVKill.20834 (Dr.Web).
Explanation :
Trojan:Win32/Tracur.AV is a trojan that redirects Internet search queries to a malicious URL, allows backdoor access and control and may also install other malware.
It is a member of the Trojan:Win32/Tracur family.
Installation
Trojan:Win32/Tracur.AV combines the names of two folders in the %LOCALAPPDATA% or %APPDATA% folder to create a new folder path, in the following format:
- %LOCALAPPDATA%\<folder 1>\<folder 2>\<random>.dll
- %APPDATA%\<folder 2>\<folder 1>\<random>.dll
Note: %LOCALAPPDATA% and %APPDATA% refer to variable locations that are determined by the malware by querying the operating system. The default installation location for the Local AppData folder for Windows Vista and 7 is "C:\Users\<user>\AppData\Local"; it does not exist in Windows Vista and 7.
The default installation location for the AppData folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data", and for Windows Vista and 7 it is "C:\Users\<user>\AppData\Roaming".
For example, if %LOCALAPPDATA% contains a folder called "Microsoft" and a folder called "Netscape", the DLL would be dropped in either one of the following folders:
- C:\Users\<user>\AppData\Local\Microsoft\Netscape\dwnxzmqxa.dll
- C:\Users\<user>\AppData\Local\Netscape\Microsoft\dwnxzmqxa.dll
The trojan drops a malicious DLL component into the newly created folder path. In the wild, we have observed the DLL with the following file names:
- dwnxzmqxa.dll
- egavp.dll
- goqkcl.dll
- hbpfdb.dll
- mvljo.dll
- onduhznwf.dll
- qseinzzqz.dll
- skorlmnjq.dll
- sshnkky.dll
We detect the malicious DLL as Trojan:Win32/Tracur.AV and Trojan:Win32/Tracur.AN.
When run, Trojan:Win32/Tracur.AV drops a copy of itself to "<system folder>\<existing DLL name>32.exe", where <existing DLL name> refers to any existing Windows DLL file located in the system folder, for example "C:\Windows\System32\olecli3232.exe".
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32" and for XP, Vista, 7 and W8 is "C:\Windows\System32".
Trojan:Win32/Tracur.AV modifies the following registry entries to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>", for example "Ares"
With data: "rundll32.exe %LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll, CreateInstance", for example "C:\Users\<user>\AppData\Local\Microsoft\Ares\dwnxzmqxa.dll, CreateInstance"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>", for example "Ares"
With data: "rundll32.exe %APPDATA%\<first folder>\<second folder>\<random>.dll, CreateInstance", for example "C:\Users\<user>\AppData\Roaming\Microsoft\Ares\dwnxzmqxa.dl, CreateInstancel"
Note: <malware value> uses the same name as <second folder>.
Trojan:Win32/Tracur.AV also creates a mutex with a random name of ten characters, for example "bwukqmmsyf".
It creates the following registry entry, possibly as an infection marker in order to prevent multiple instances of the malware from running and possibly arousing suspicion:
In subkey: HKCU\Software\<mutex name>\CLSID, for example "HKCU\Software\bwukqmmsyf\CLSID"
Sets value: "<default>"
With data: "<random globally unique identifier>", for example "{7d5b4281-35a1-4e0f-9c1d-cca2b6f45d50}"
Payload
Redirects Internet search queries
Trojan:Win32/Tracur.AV redirects searches to a malicious URL when one of the following search engines are used:
- AlltheWeb
- AltaVista
- AOL
- Ask
- Bing
- Gigablast
- HotBot
- Lycos
- Netscape
- Snap
- Yahoo
- YouTube
To aid in its search-redirection payload, Trojan:Win32/Tracur.AV installs a Firefox browser extension by dropping a JAR archive file, with an .xpi extension, as follows:
<Firefox profile>\<Profile1>\extensions\<random>@<random>.org.xpi
Note: <random> contains ten randomly generated characters, for example "elsahusoen@elsahusoen.org.xpi".
Note: <Firefox profile> is taken from the profile paths of different user accounts that the trojan retrieves from the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user ID>\ProfileImagePath
where <user ID> refers to your account identifier, for example "S-15-18".
The Firefox browser extension contains another JAR archive file, for example "printing.jar" or "performance.jar", that contains a malicious JavaScript file "overlay.xul", detected as Trojan:JS/Tracur.E.
Allows backdoor access and control
Trojan:Win32/Tracur.AV attempts to connect to a server via a random TCP port and waits for commands. Using this backdoor, an attacker can perform a number of actions on your computer, including the following:
Related encyclopedia entries
- Control the Internet search redirection parameters of the malware
- Download and execute arbitrary files
Trojan:Win32/Tracur
Trojan:Win32/Tracur.AN
Trojan:JS/Tracur.E
Analysis by Rodel Finones
Last update 30 August 2012