Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 8: Spyware

Trojan:Win32/Tracur.AV

MS Encyclopedia entry
Updated: Sep 04, 2012  |  Published: Jul 26, 2012

Aliases
 


Alert Level: Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.141.3235.0
Released: Jan 05, 2013
  Detection initially created:
Definition: 1.131.307.0
Released: Jul 20, 2012

 
 


 

Summary

Trojan:Win32/Tracur.AV is a trojan that redirects Internet search queries to a malicious URL and allows backdoor access and control. It may also install other malware.

Disables several AV programs.

It is a member of the Trojan:Win32/Tracur family.


Symptoms

System changes

The following system changes may indicate the presence of this malware:

Technical Information (Analysis)

Trojan:Win32/Tracur.AV is a trojan that redirects Internet search queries to a malicious URL, allows backdoor access and control and may also install other malware.

It is a member of the Trojan:Win32/Tracur family.

Installation

Trojan:Win32/Tracur.AV combines the names of two folders in the %LOCALAPPDATA% or %APPDATA% folder to create a new folder path, in the following format:

Note: %LOCALAPPDATA% and %APPDATA% refer to variable locations that are determined by the malware by querying the operating system. The default installation location for the Local AppData folder for Windows Vista and 7 is "C:\Users\<user>\AppData\Local"; it does not exist in Windows Vista and 7.
The default installation location for the AppData folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data", and for Windows Vista and 7 it is "C:\Users\<user>\AppData\Roaming".

For example, if %LOCALAPPDATA% contains a folder called "Microsoft" and a folder called "Netscape", the DLL would be dropped in either one of the following folders:

The trojan drops a malicious DLL component into the newly created folder path. In the wild, we have observed the DLL with the following file names:

We detect the malicious DLL as Trojan:Win32/Tracur.AV and Trojan:Win32/Tracur.AN.

When run, Trojan:Win32/Tracur.AV drops a copy of itself to "<system folder>\<existing DLL name>32.exe", where <existing DLLname> refers to any existing Windows DLL file located in the system folder, for example "C:\Windows\System32\olecli3232.exe".

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32" and for XP, Vista, 7 and W8is "C:\Windows\System32".

Trojan:Win32/Tracur.AV modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%APPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"

Note: <malware value> uses the same name as <second folder>, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe "C:\Users\<user>\AppData\Local\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe"C:\Users\<user>\AppData\Roaming\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"

Trojan:Win32/Tracur.AV also creates a mutex with a random name of ten characters, for example "bwukqmmsyf".

It creates the following registry entry, possibly as an infection marker in order to prevent multiple instances of the malware from running and possibly arousing suspicion:

In subkey: HKCU\Software\<mutex name>\CLSID, for example "HKCU\Software\bwukqmmsyf\CLSID"
Sets value: "<default>"
With data: "<random globally unique identifier>", for example "{7d5b4281-35a1-4e0f-9c1d-cca2b6f45d50}"

Payload
Redirects Internet search queries

Trojan:Win32/Tracur.AV redirects searches to a malicious URL when one of the following search engines are used:

To aid in its search-redirection payload, Trojan:Win32/Tracur.AV installs a Firefox browser extension by dropping a JAR archive file, with an .xpi extension, as follows:

<Firefox profile>\<Profile1>\extensions\<random>@<random>.org.xpi

Note: <random> contains ten randomly generated characters, for example "elsahusoen@elsahusoen.org.xpi".

Note: <Firefox profile> is taken from the profile paths of different user accounts that the trojan retrieves from the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user ID>\ProfileImagePath

where <user ID> refers to your account identifier, for example "S-15-18".

The Firefox browser extension contains another JAR archive file, for example "printing.jar" or "performance.jar", that contains a malicious JavaScript file "overlay.xul", detected as Trojan:JS/Tracur.E.

Allows backdoor access and control

Trojan:Win32/Tracur.AV attempts to connect to a server via a random TCP port and waits for commands. Using this backdoor, an attacker can perform a number of actions on your computer, including the following:

Related encyclopedia entries

Trojan:Win32/Tracur

Trojan:Win32/Tracur.AN

Trojan:JS/Tracur.E

Analysis by Rodel Finones



Etc

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019