Security home

 

Home / malwarePDF  

Trojan:Win32/Tracur.AN


First posted on 19 June 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Tracur.AN is also known as TR/Tracur.AN.17 (Avira), Trojan.Win32.Tracur (Ikarus), Troj/Tracur-AE (Sophos), Trojan.Tracur!gen2 (Symantec).

Explanation :



Trojan:Win32/Tracur.AN is a trojan that redirects your search results from legitimate search sites to malicious websites.



Installation

Upon execution, Trojan:Win32/Tracur.AN drops a copy as a DLL file with a random name in a subfolder within %AppData%, for example, "%AppData%\Identities\Identities\mijimxh.dll". The trojan will run when you start Windows.



Payload

Redirects user searches

TrojanDownloader:Win32/Tracur.AN redirects searches when you perform searches using any of the following websites:

  • Alltheweb.com
  • Altavista.com
  • AOL
  • Ask
  • Bing
  • Gigablast.com
  • Google
  • Hotbot.com
  • Lycos.com
  • Netscape.com
  • Snap.com
  • Vimeo
  • Yahoo


Searched keywords are sent to a server located in IP address "184.173.181.54". This server then generates a URL for the browser to redirect to.

Note that the search results that appear are the normal results. The redirection hapens when you click on any of the normal results.

Contacts remote host

TrojanDownloader:Win32/Tracur.AN may contact a remote server, possibly for any of the following purposes:

  • To report a new infection to its author
  • To receive configuration or other dat
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer
Additional information

This trojan creates the following registry data as part of its installation process:

In subkey: HKCU\Software\<random value>\CLSID
Sets value: "(default)"
With data: "{<random value generated by the computer>}

For example:
In subkey: HKCU\Software\Tifehlmnqib\CLSID
Sets value: "(default)"
With data: "{a071aa13-a972-4b44-87de-4fd2f7495e95}"

Trojan:Win32/Tracur.AN also ensures that it automatically starts every time Windows starts by creating registry data, for example,:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
With data: "rundll32.exe "%AppData%\Identities\Identities\mijimxh.dll",DllRegisterServer"



Analysis by Alden Pornasdoro

Last update 19 June 2012

 

TOP

Malware :

Family: