Home / malwarePDF  

Trojan:Win32/Tracur.X


First posted on 13 April 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Tracur.X is also known as Gen.Variant.Katusha (Ikarus), Mal/Katush-A (Sophos).

Explanation :

Trojan:Win32/Tracur.X is a trojan that downloads and executes arbitrary files.


Top

Trojan:Win32/Tracur.X is a trojan that downloads and executes arbitrary files.



Installation

When executed, Trojan:Win32/Tracur.X drops itself in the Windows system folder with a variable file name, for example: "samsrv32.exe".

It then installs the dropped DLL file as a Browser Helper Object (BHO) and modifies the registry to run the BHO, as in the following example:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{03970AA5-C169-44BF-B514-B1A9227DD9Dc}\InprocServer32
Sets value: "(default)"
With data: "<system folder>\authz32.dll"

Note that the file name and CLSID value may change among different samples.

Trojan:Win32/Tracur.X also modifies the registry to make sure it is loaded into every process at each Windows restart:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: "AppInit_Dlls"
With data: "<system folder>\<DLL file name>"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Modifies value: "<system folder>\<malware file name>"
With data: "<system folder>\<malware file name>:*:enabled:windows update service"

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.



Payload

Downloads and executes arbitrary files
Trojan:Win32/Tracur.X attempts to connect to the following IP addresses to download arbitrary files:

  • 91.217.153.48
  • 95.211.1.174
  • 89.187.53.210


Drops other malware

Trojan:Win32/Tracur.X drops the following files in the Windows system folder:

  • <system folder>\<random>32.exe - for example olecli3232.exe, detected as Trojan:Win32/Dursg.I
  • <system folder>\<random>32.dll - for example authz32.dll, detected as Trojan:Win32/Tracur.Q
Additional information

Trojan:Win32/Tracur.X may modify the following registry entry as part of its installation routine:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
Sets value: "acc0e9de"
With data: "00 52 F7 67 C4 2A CC 01"



Analysis by Wei Li

Last update 13 April 2012

 

TOP

Malware :

Family: