Home / malwarePDF  

Trojan:Win32/Tracur.AK


First posted on 30 May 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Tracur.AK is also known as TROJ_TRACUR.MV (Trend Micro), Sefnit.ah (McAfee), Trojan.Tracur (Symantec).

Explanation :



Trojan:Win32/Tracur.AK is a trojan that installs other programs, such as additional malware or malware components, without your consent.



Installation

When this trojan is run, it installs other components of Win32/Tracur as randomly named files into folders that may already exist within the 'Application Data' folder, as in the following examples:

  • %AppData%\bittorrent dna\ares\ihkpbqo.dll - Trojan:Win32/Tracur.AK
  • %AppData%\bittorrent dna\ares\xyqwy.dll - Trojan:Win32/Tracur.AK
  • %AppData%\identities\identities\arzpii.dll - Trojan:Win32/Tracur.AK
  • %AppData%\identities\identities\ctxqkyxjb.dll - Trojan:Win32/Tracur.AN


The trojan creates registry data, using concatenated strings in the following format, so that the installed malware is executed when Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<listed word>"
To data: "rundll32.exe "%AppData%\<folder name>\<folder name>\<random file name>.dll",DllRegisterServer"

Where the value of "<listed word>" is any of the following:

  • Apple
  • Backup
  • Directx
  • Display
  • Google
  • Intel
  • Java
  • Keyboard
  • Manager
  • Microsoft
  • Mouse
  • Notifier
  • Policy
  • Profile
  • Service
  • Tray
  • Update
  • Verifier
  • Windows


The following are examples of registry modifications made by the malware on your computer:

In subkey: HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
To data: "rundll32.exe "%AppData%\adobe\adobe\arzpii.dll",DllRegisterServer"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
To data: "rundll32.exe "%AppData%\adobe\adobe\arzpii.dll",DllRegisterServer"

In subkey: HKLM\Software\Classes\CLSID\<CLSID>\InprocServer32
Sets value: "(default)"
To data: "%AppData%\<malware path and file name>"



Payload

Changes Internet settings

Trojan:Win32/Tracur.AK changes settings so that when you run Internet Explorer, it starts in online mode.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "GlobalUserOffline"
With data: "0"

Contacts a remote host
Trojan:Win32/Tracur.AK attempts to contact a remote host. Commonly, malware may contact a remote host for the following purposes:

  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer




Analysis by Ding Plazo

Last update 30 May 2012

 

TOP