It is a member of the Trojan:Win32/Tracur family.
Installation
Trojan:Win32/Tracur.AN drops a modified copy of itself, as a DLL file, into a folder path that it creates by combining the names of two folders in the %LOCALAPPDATA% or %APPDATA%, in the following format:
- %LOCALAPPDATA%\<folder 1>\<folder 2>\<random>.dll
- %APPDATA%\<folder 2>\<folder 1>\<random>.dll
Note: %LOCALAPPDATA% and %APPDATA% refer to variable locations that are determined by the malware by querying the operating system. The default installation location for the Local AppData folder for Windows Vista and 7 is "C:\Users\<user>\AppData\Local"; it does not exist in Windows Vista and 7.
The default installation location for the AppData folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data", and for Windows Vista and 7 it is "C:\Users\<user>\AppData\Roaming".
For example, if %LOCALAPPDATA% contains a folder called "Microsoft" and a folder called "Netscape", the DLL would be dropped in either one of the following folders:
- C:\Users\<user>\AppData\Local\Microsoft\Netscape\dwnxzmqxa.dll
- C:\Users\<user>\AppData\Local\Netscape\Microsoft\dwnxzmqxa.dll
In the wild, we have observed the DLL with the following file names:
- dwnxzmqxa.dll
- egavp.dll
- goqkcl.dll
- hbpfdb.dll
- mijimxh.dll
- mvljo.dll
- onduhznwf.dll
- qseinzzqz.dll
- skorlmnjq.dll
- sshnkky.dll
We detect the malicious DLL as Trojan:Win32/Tracur.AN and Trojan:Win32/Tracur.AV.
When run, Trojan:Win32/Tracur.AN drops a copy of itself to "<system folder>\<existing DLL name>32.exe", where <existing DLL name> refers to any existing Windows DLL file located in the system folder, for example "C:\Windows\System32\olecli3232.exe".
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32" and for XP, Vista, 7 and W8 is "C:\Windows\System32".
Trojan:Win32/Tracur.AN modifies the following registry entries to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%APPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"
Note: <malware value> uses the same name as <second folder>, for example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe "C:\Users\<user>\AppData\Local\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe "C:\Users\<user>\AppData\Roaming\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"
It creates the following registry entry, possibly as an infection marker in order to prevent multiple instances of the malware from running and possibly arousing suspicion:
In subkey: HKCU\Software\<mutex name>\CLSID, for example "HKCU\Software\bwukqmmsyf\CLSID"
Sets value: "<default>"
With data: "<random globally unique identifier>", for example "{7d5b4281-35a1-4e0f-9c1d-cca2b6f45d50}"
Trojan:Win32/Tracur.AN also creates a mutex with a random name of ten characters, for example "bwukqmmsyf".
Payload
Redirects web searches
Trojan:Win32/Tracur.AN monitors your web browsing and may redirect web searches to a malicious URL when one of the following search engines are used:
- AlltheWeb
- AltaVista
- AOL
- Ask
- Bing
- Gigablast
- Google
- HotBot
- Lycos
- Netscape
- Snap
- Yahoo
- YouTube
To aid in its search-redirection payload, Trojan:Win32/Tracur.AN installs a Firefox browser extension by dropping a JAR archive file, with an .xpi extension, as follows:
<Firefox profile>\<Profile1>\extensions\<random>@<random>.org.xpi
Note: <random> contains ten pseudo-randomly generated characters, for example "elsahusoen@elsahusoen.org.xpi".
Note: <Firefox profile> is taken from the profile paths of different user accounts that the trojan retrieves from the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user ID>\ProfileImagePath
where <user ID> refers to your account identifier, for example "S-15-18".
The Firefox browser extension contains another JAR archive file, for example "printing.jar" or "performance.jar", that contains a malicious JavaScript file "overlay.xul", detected as Trojan:JS/Tracur.E.
Searched keywords are sent to a server located in IP address "184.173.181.54". This server then generates a URL for the browser to redirect to.
Note that the search results that appear are the normal results. The redirection happens when you click on any of the normal results.
Allows backdoor access and control
Trojan:Win32/Tracur.AN attempts to connect to a server via a random TCP port and waits for commands. Using this backdoor, an attacker can perform a number of actions on your computer, including the following:
- Control the Internet search redirection parameters of the malware
- Download and execute arbitrary files
Related encyclopedia entries
Trojan:Win32/Tracur
Trojan:Win32/Tracur.AV
Trojan:JS/Tracur.E
Analysis by Rodel Finones