Home / malware Trojan:Win32/Tracur.Q
First posted on 13 April 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Tracur.Q.
Explanation :
Trojan:Win32/Tracur.Q is a trojan that redirects user searches from legitimate search sites to a Web site that contains malware. It is installed as a Browser Helper Object (BHO) in Internet Explorer, and replaces Firefox extension settings files.
Top
Trojan:Win32/Tracur.Q is a trojan that redirects user searches from legitimate search sites to a Web site that contains malware. It is installed as a Browser Helper Object (BHO) in Internet Explorer, and replaces Firefox extension settings files. Installation When executed, Trojan:Win32/Tracur.Q is installed to the Windows system folder as a DLL and the registry is modified to run the dropped trojan as a BHO, as in the following example: In subkey: HKLM\SOFTWARE\Classes\CLSID\{03488EDA-F994-4B96-AB4B-9178251A6070}\InprocServer32Sets value: "(default)"To data: "<system folder>\authz32.dll" The file name and CLSID value above may change among samples of this trojan. If Firefox is installed in the system, Trojan:Win32/Tracur.Q also installs itself as a Firefox extension by replacing the following files: %APPDATA%\Mozilla\Firefox\Profiles\install.rdf
%APPDATA%\Mozilla\Firefox\Profiles\chrome\xulcache.jar
%APPDATA%\Mozilla\Firefox\Profiles\chrome\chrome.manifest Payload Redirects user searches Trojan:Win32/Tracur.Q redirects searches when the following search engines are used: AOL Alltheweb.com Altavista.com Ask Bing Gigablast.com Google Hotbot.com Lycos.com Netscape.com Snap.com Yahoo Searches to these sites are redirected to the IP address "206.137.17.89", which may contain other malware.
Analysis by Shali HsiehLast update 13 April 2012
