Installation
Trojan:Win32/Tracur.AV combines the names of two folders in the %LOCALAPPDATA% or %APPDATA% folder to create a new folder path, in the following format:
- %LOCALAPPDATA%\<folder 1>\<folder 2>\<random>.dll
- %APPDATA%\<folder 2>\<folder 1>\<random>.dll
For example, if %LOCALAPPDATA% contains a folder called "Microsoft" and a folder called "Netscape", the DLL would be dropped in either one of the following folders:
- C:\Users\<user>\AppData\Local\Microsoft\Netscape\dwnxzmqxa.dll
- C:\Users\<user>\AppData\Local\Netscape\Microsoft\dwnxzmqxa.dll
The trojan drops a malicious DLL component into the newly created folder path. In the wild, we have observed the DLL with the following file names:
- dwnxzmqxa.dll
- egavp.dll
- goqkcl.dll
- hbpfdb.dll
- mvljo.dll
- onduhznwf.dll
- qseinzzqz.dll
- skorlmnjq.dll
- sshnkky.dll
We detect the malicious DLL as Trojan:Win32/Tracur.AV or Trojan:Win32/Tracur.AN.
When run, Trojan:Win32/Tracur.AV drops a copy of itself to "<system folder>\<existing DLL name>32.exe", where <existing DLL name> refers to any existing Windows DLL file located in the <system folder>, for example "C:\Windows\System32\olecli3232.exe".
Trojan:Win32/Tracur.AV modifies the following registry entries to ensure that its copy runs each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%APPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"
Note: <malware value> uses the same name as <second folder>, for example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe "C:\Users\<user>\AppData\Local\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe "C:\Users\<user>\AppData\Roaming\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"
Trojan:Win32/Tracur.AV also creates a mutex with a random name of ten characters, for example "bwukqmmsyf".
It creates the following registry entry, possibly as an infection marker in order to prevent multiple instances of the malware from running and possibly arousing suspicion:
In subkey: HKCU\Software\<mutex name>\CLSID, for example "HKCU\Software\bwukqmmsyf\CLSID"
Sets value: "<default>"
With data: "<random globally unique identifier>", for example "{7d5b4281-35a1-4e0f-9c1d-cca2b6f45d50}"
Payload
Redirects Internet search queries
Trojan:Win32/Tracur.AV redirects searches to a malicious URL when one of the following search engines are used:
- AlltheWeb
- AltaVista
- AOL
- Ask
- Bing
- Gigablast
- Google
- HotBot
- Lycos
- Netscape
- Snap
- Yahoo
- YouTube
To help its search-redirection payload, Trojan:Win32/Tracur.AV installs a Firefox browser extension by dropping a JAR archive file, with an .xpi extension, as follows:
<Firefox profile>\<Profile1>\extensions\<random>@<random>.org.xpi
Notes:
- <random> contains ten randomly generated characters, for example "elsahusoen@elsahusoen.org.xpi"
- <Firefox profile> is taken from the profile paths of different user accounts that the trojan retrieves from the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user ID>\ProfileImagePath
where <user ID> refers to your account identifier, for example "S-15-18".
The Firefox browser extension contains another JAR archive file, for example "printing.jar" or "performance.jar", that contains a malicious JavaScript file "overlay.xul", detected as Trojan:JS/Tracur.E.
Allows backdoor access and control
Trojan:Win32/Tracur.AV attempts to connect to a server via a random TCP port and waits for commands. Using this backdoor, a hacker can perform a number of actions on your computer, including the following:
- Control the Internet search redirection parameters of the malware
- Download and run files
Related encyclopedia entries
Analysis by Rodel Finones