Home / malwarePDF  

TrojanDownloader:Win32/Tracur.B


First posted on 30 June 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Tracur.B is also known as Also Known As:Win32/Nugg.worm.143360 (AhnLab), Trojan.Tracur.A (BitDefender), P2P-Worm.Win32.nugg.bd (Kaspersky), Generic Downloader.x!cg (McAfee), W32/Agent.MPDD (Norman), W32/P2PWorm.AK.worm (Panda), Troj/Agent-INP (Sophos), Worm.P2P.Nugg.BV (VirusBuster).

Explanation :

TrojanDownloader:Win32/Tracur.B is a trojan component installed by TrojanDownloader:Win32/Tracur.A. This trojan component downloads and executes arbitrary files.

Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.

TrojanDownloader:Win32/Tracur.B is a trojan component installed by TrojanDownloader:Win32/Tracur.A. This trojan component downloads and executes arbitrary files.

Installation
TrojanDownloader:Win32/Tracur.B is installed by TrojanDownloader:Win32/Tracur.A and is present in the Windows system folder as a randomly named file such as '<system folder>fde32.dll'. The registry is modified to run the dropped component at each Windows start. Adds value: "DllName"With data: "<system folder>fde32.dll"To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyacc0e9de600 Adds value: "AppInit_Dlls"With data: "<system folder>fde32.dll"To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows When Win32/Tracur.B executes, it create a unique mutex name "5113E92E5B1-D6FE-4804-9E28-FEF7FA8750A41864" to ensure only one malware instance runs at a time. Next it checks if the parent process is any of the following: explorer.exewinlogon.exeiexplore.exefirefox.exeopera.exechrome.exe If the parent process is not one of the above, the malware exits.

Payload
Downloads and Executes Arbitrary Files
TrojanDownloader:Win32/Tracur.B listens on an undefined TCP port (such as TCP port 1345) and waits for instructions from an attacker. The trojan may be instructed to perform the following actions:

  • Download and execute arbitrary files
  • Redirect the user's web browser to a URL of the attacker's choice, and maximize the Web browser window
    • The malware creates a pipe named "\.pipe82781219D3C34ebcA476079C6EC9FDF40" that can allow an attacker access to steal data.Additional InformationThe registry may be modified with the following additional changes: Adds value: "acc0e9de"With data: "00 AF F8 70 BF CA C9 01"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionExplorer

    Analysis by Tim Liu

    Last update 30 June 2009

     

    TOP

    Malware :

    Family: