Home / malware

PDF

Trojan:Win32/Dursg.C

First posted on 08 March 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Dursg.C is also known as Win32/Fruspam.BY (CA), Win32/Dursg.A (ESET), Virus.Win32.Vbinder (Ikarus), BackDoor-DOQ (McAfee), Mal/VBInject-D (Sophos), WORM_PROLACO.D (Trend Micro).

Explanation :

Trojan:Win32/Dursg.C is a trojan that redirects Web searches when a user enters certain key words as a search query in specific search sites.
Top

Trojan:Win32/Dursg.C is a trojan that redirects Web searches when a user enters certain key words as a search query in specific search sites. InstallationTrojan:Win32/Dursg.C may be installed by other malware such as Worm:Win32/Prolaco.K. When run, the trojan creates the following components: %ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul %USERPROFILE%\Application Data\systemproc\lsass.exe - Trojan:Win32/Dursg.C The trojan may also drop a copy of itself "c:\autoexec.exe". The registry is modified to run the trojan at each Windows start. Adds value: "RTHDBPL"With data: "%USERPROFILE%\Application Data\systemproc\lsass.exe"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Payload Redirects user searches When a user uses the Web browser to conduct searches using certain search engines, the browser is redirected to the server "searchrequest2.com". The following search engines are impacted by the trojan:

Google.com

Ask.com

Yahoo.com

AOL.com search

Bing.com

Downloads arbitrary filesThe trojan attempts to download arbitrary files from the domain "qulino.com". At the time of this writing, the server was unavailable. Displays pop-up advertisementsTrojan:Win32/Dursg.C monitors the following Web browsers: Internet Explorer Opera Chrome Firefox The trojan monitors keyword searches including the following partial list: antivir antivirus baby bany baseball books casino cialis craigslist credit dating design diet ebay estate finance football gambling gifts golf graphic health hotel insurance job loans money mortgage myspace pharma pocker poker porn shop spyware travel video virus vocations If any of the above listed keywords are used as a search term, the trojan displays pop-up advertisements from the domain "searchxx.com". Additional InformationThe trojan creates other registry data to record adware pop-up information on the affected computer: HKCU\Identities\First Start HKCU\Identities\Last Time HKCU\Identities\Last Date HKCU\Identities\Curr version HKCU\Identities\Send Inst HKCU\Identities\Inst Date HKCU\Identities\Popup count HKCU\Identities\Popup time HKCU\Identities\Popup date

Analysis by Tim Liu

Last update 08 March 2010

 

TOP