Home / malwarePDF  

Trojan:Win32/Dursg.I


First posted on 31 August 2011.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Dursg.I.

Explanation :

Trojan:Win32/Dursg.I is a trojan that monitors Internet keyword searches to display pop-up advertisements.
Top

Trojan:Win32/Dursg.I is a trojan that monitors Internet keyword searches to display pop-up advertisements.

Installation
This trojan is installed by variants of Win32/Tracur. When run, the trojan creates a mutex named "SERPv2" to avoid running more than one instance of the malware. A copy of the trojan is dropped as the following:

  • %APPDATA%\syswin\lsass.exe
The registry is modified, depending on the operating system and user privilege, to run the trojan at each Windows start. In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunSets value: "RTHDBPL"With data: "%APPDATA%\syswin\lsass.exe" In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "RTHDBPL" With data: "%APPDATA%\syswin\lsass.exe" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "RTHDBPL"With data: "%APPDATA%\syswin\lsass.exe" Additional registry data is created during installation of the trojan. In subkey: HKCU\IdentitiesSets value: "KillSelf"With data: "ok" In subkey: HKLM\SOFTWARESets value: "KillSelf"With data: "ok"

Payload
Redirects web searches
Trojan:Win32/Dursg.I monitors application windows for any of the following web browsers:
  • Explorer
  • Opera
  • Chrome
  • Safari
  • FireFox
It then monitors and compares search strings entered with the following keywords list:
  • airlines
  • amazon
  • antivir
  • antivirus
  • baseball
  • books
  • casino
  • cialis
  • cigarettes
  • comcast
  • craigslist
  • credit
  • dating
  • design
  • doctor
  • estate
  • fashion
  • finance
  • flights
  • flower
  • footbal
  • football
  • gambling
  • gifts
  • graphic
  • health
  • hotel
  • insurance
  • iphone
  • loans
  • medical
  • military
  • mobile
  • money
  • mortgage
  • movie
  • music
  • myspace
  • pharma
  • pocker
  • poker
  • school
  • software
  • sport
  • spybot
  • spyware
  • trading
  • tramadol
  • travel
  • twitter
  • verizon
  • video
  • virus
  • vocations
  • wallpaper
  • weather
  • youtube


If the search string matches any of the above keywords, the trojan displays a pop-up advertisement from the domain "premsearch.com".



Analysis by Rodel Finones

Last update 31 August 2011

 

TOP

Malware :

Family: