Home / malwarePDF  

TrojanDownloader:Win32/Tracur.AF


First posted on 13 October 2011.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Tracur.AF is also known as Trojan/Win32.FakeAlert (AhnLab), Generic.evx!ba (McAfee), W32/Shiz.V (Norman).

Explanation :

TrojanDownloader:Win32/Tracur.AF is a trojan that silently downloads and executes arbitrary files. This could include the installation of additional malware or malware components to the affected computer.


Top

TrojanDownloader:Win32/Tracur.AF is a trojan that silently downloads and executes arbitrary files. This could include the installation of additional malware or malware components to the affected computer.



Installation

TrojanDownloader:Win32/Tracur.AF creates the following files:

  • %AppData%\Microsoft\MicrosoftUpdate\ <random name>32.exe
  • %AppData% \Microsoft\MicrosoftUpdate\ <random name>32.dll
  • %AppData% \SecurityUser.dll
  • %AppData% \DisplayBackupBackup.dll


The malware generates the random file names by concatenating any of the following words:

  • Windows
  • Microsoft
  • Java
  • Google
  • Apple
  • Directx
  • Intel
  • Keyboard
  • Display
  • Mouse
  • Update
  • Policy
  • Service
  • Tray
  • Notifier
  • Profile
  • Backup
  • Manager
  • Verifier


When executed, TrojanDownloader:Win32/Tracur.AF ensures its execution at each Windows start and installs itself as a Browser Helper Object (BHO) in Internet Explorer by making the following changes to the registry:

In subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Update"
With data: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value "DisplayBackupBackup"
With data: rundll32.exe "C:\Documents and Settings\All Users\Application Data\DisplayBackupBackup.dll",DllRegisterServer

In subkey : HKCR\CLSID\{28F512BA-E901-49C7-9BF0-9FD28D29467d}\InprocServer32 "
Sets value: "(Default)"
With data: C:\Documents and Settings\Administrator\Local Settings\Application Data\SecurityUser.dll

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Sets value: "{28F512BA-E901-49C7-9BF0-9FD28D29467d}"



Payload

Downloads and executes arbitrary files

TrojanDownloader:Win32/Tracur.AF attempts to connect to the following IP addresses, from which to download arbitrary files:

  • 213.174.137.85
  • 64.111.211.186
  • 66.230.138.117


At the time of writing, details of these files was not available.



Analysis by Mihai Calota

Last update 13 October 2011

 

TOP

Malware :

Family: