Home / malwarePDF  

TrojanDownloader:Win32/Tracur.AA


First posted on 22 March 2012.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Tracur.AA.

Explanation :

TrojanDownloader:Win32/Tracur.AA is a trojan that silently downloads and installs other programs without consent. It could install additional malware or malware components to an affected computer.


Top

TrojanDownloader:Win32/Tracur.AA is a trojan that silently downloads and installs other programs without consent. It could install additional malware or malware components to an affected computer.



Installation

TrojanDownloader:Win32/Tracur.AA drops the following files into randomly selected folders inside %LOCALAPPDATA% or %APPDATA% as the following:

  • <folder>\wsusupdate\wsusupdate.dll - copy of itself
  • <folder>\wsusupdate\wsusupdate.exe - non-malicious generic DLL loader, which loads the first file


It modifies the system registry so that its dropped copy runs every time Windows starts, via the DLL loader:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WSUSUpdate"
With data: "%APPDATA%\<folder>\wsusupdate\wsusupdate.exe"
or: "%LOCALAPPDATA%\<folder>\wsusupdate\wsusupdate.exe"



Payload

Drops other malware

TrojanDownloader:Win32/Tracur.AA drops malicious a DLL component, detected as TrojanDownloader:Win32/Tracur.AI, in %LocalAppData% or %AppData% with the following name format:

<string 1><string 2>.dll

where <string 1> is one of the following:

  • explorer
  • hardware
  • internet
  • network
  • security
  • service
  • shell
  • system
  • tcpip
  • tray


and <string 2> is one of the following:

  • admin
  • codec
  • ptr
  • sys
  • sys32
  • user
  • win32
  • wmp
  • wow64
  • x86_x64


It may also drop the DLL component with any of the following hardcoded file names in %LocalAppData% and %AppData%:

  • \adobeupdate\adobeup.dll
  • \applicationhistory\applicationhistoryupdate\applicationhistoryup.dll
  • \ares\aresupdate\aresup.dll
  • \bittorrent dna\bittorrentupdate\bittorrentup.dll
  • \shareaza\shareazaupdate\shareazaup.dll
  • \shareazaupdate\shareazaup.dll
  • appleprofileprofile.dll
  • displayprofilepolicy.dll
  • keyboardnotifierverifier.dll
  • microsoftbackupverifier.dll
  • microsoftverifierpolicy.dll


It modifies the system registry so that its dropped DLL file automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value with any of the following:
Adobe Update
AppleProfileProfile
DisplayProfilePolicy
Intel Update
JavaNotifierProfile
Local Update
MicrosoftBackupVerifier
MicrosoftVerifierPolicy
Netscape Update
ODBC Update
Update
With data: "rundll32 "<dropped DLL file>", dllregisterserver"

TrojanDownloader:Win32/Tracur.AA may then register its dropped DLL file as a Browser Helper Object (BHO).

TrojanDownloader:Win32/Tracur.AA may also drop components in the Temporary Files folder as the following files:

  • complete.dll
  • dfenc.dll
  • mvenc.dll
  • quota.dll
  • runner.dll
  • stats.dll
  • viewer.dll


Modifies Internet Explorer settings

TrojanDownloader:Win32/Tracur.AA modifies the registry to change the following Internet Explorer settings:

Disables warnings when trying to access an unsecured page from a secured one:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnonZoneCrossing"
With data: "0"

Disables opening Internet Explorer in Offline mode:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "GlobalUserOffline"
With data: "0"

Enables setting First Run Customize settings for Internet Explorer:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "DisableFirstRunCustomize"
With data: "0"

Disable checking Internet Explorer is the default browser:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Check_Associations"
With data: "0"

Contacts remote host

The malware may contact a remote host at 213.174.137.85 using port 80. Commonly, malware may contact a remote host for the following purposes:

  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer




Analysis by Rodel Finones

Last update 22 March 2012

 

TOP

Malware :

Family: