Home / malware Trojan:Win32/Tracur.B
First posted on 13 April 2012.
Source: MicrosoftAliases :
Trojan:Win32/Tracur.B is also known as Win32/Nugg.worm.143360 (AhnLab), Trojan.Tracur.A (BitDefender), P2P-Worm.Win32.nugg.bd (Kaspersky), Generic Downloader.x!cg (McAfee), W32/Agent.MPDD (Norman), W32/P2PWorm.AK.worm (Panda), Troj/Agent-INP (Sophos), Worm.P2P.Nugg.BV (VirusBuster).
Explanation :
Trojan:Win32/Tracur.B is a trojan component installed by Trojan:Win32/Tracur.A. This trojan component downloads and executes arbitrary files.
Top
Trojan:Win32/Tracur.B is a trojan component installed by Trojan:Win32/Tracur.A. This trojan component downloads and executes arbitrary files. Installation Trojan:Win32/Tracur.B is installed by Trojan:Win32/Tracur.A and is present in the Windows system folder as a randomly named file such as '<system folder>\fde32.dll'. The registry is modified to run the dropped component at each Windows start. Adds value: "DllName"With data: "<system folder>\fde32.dll"To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acc0e9de600 Adds value: "AppInit_Dlls"With data: "<system folder>\fde32.dll"To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows When Win32/Tracur.B executes, it create a unique mutex name "5113E92E5B1-D6FE-4804-9E28-FEF7FA8750A41864" to ensure only one malware instance runs at a time. Next it checks if the parent process is any of the following: explorer.exewinlogon.exeiexplore.exefirefox.exeopera.exechrome.exe If the parent process is not one of the above, the malware exits. Payload Downloads and Executes Arbitrary Files
Trojan:Win32/Tracur.B listens on an undefined TCP port (such as TCP port 1345) and waits for instructions from an attacker. The trojan may be instructed to perform the following actions:The malware creates a pipe named "\\.\pipe\82781219D3C34ebcA476079C6EC9FDF40" that can allow an attacker access to steal data. Additional InformationThe registry may be modified with the following additional changes: Adds value: "acc0e9de"With data: "00 AF F8 70 BF CA C9 01"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
- Download and execute arbitrary files
- Redirect the user's web browser to a URL of the attacker's choice, and maximize the Web browser window
Analysis by Tim LiuLast update 13 April 2012