Follow:

 

Win32/Tracur


Microsoft security software detects and removes this threat.

Win32/Tracur is a family of trojans that can redirect your web searches. They do this to earn revenue for the malware authors via online advertisement fraud. The trojans hijack search result links from the following search engines, and redirect you to a different webpage:

  • Alltheweb
  • Altavista
  • AOL
  • Ask
  • Bing
  • Gigablast
  • Google
  • Hotbot
  • Lycos
  • Netscape
  • Snap
  • Yahoo
  • Youtube

Win32/Tracur can also download and run files, including other malware, and give a hacker control of your PC.

These threats can be installed on your PC by other malware, or when you click on a suspicious link or email attachment.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Remove browser add-ons

You may need to remove add-ons from your browser. You can find out how to do this in the following articles:

Remove program exceptions in the firewall

This threat might add itself to your Windows Firewall exception list. This means it can go online without being blocked. To remove it from the exception list, do the following:

For Windows 8 :

  1. Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall.
  2. In the left pane, tap or click Allow an app or feature through Windows Firewall.
  3. Tap or click Change settings. You might be asked for an admin password or to confirm your choice.
  4. Select the check box next to the app you want to allow, select the network types you want to allow communication on, and then click OK.

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the menu on the left, select Allow a program through Windows Firewall. If you're prompted, type the password or provide confirmation.
  4. Click Change Settings. If you're prompted, type the password or provide confirmation.
  5. Select <program name> from the list of allowed programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the menu on the left, select Windows Firewall.
  3. On the menu on the left, select Allow a program through Windows Firewall. If you are prompted, type the password or provide confirmation.
  4. Select <program name> from the list of allowed programs and features. Click Delete.
  5. Click OK.

For Windows XP:

  1. Use an administrator account to log on.
  2. Click Start, select Run, type wscui.cpl, and then click OK.
  3. In Windows Security Center, click Windows Firewall.
  4. On the Exceptions tab, click <program name> and then click Delete.
  5. Click OK.

Threat behavior

Installation

Win32/Tracur can be distributed via exploit kits, like Blacole; downloaders, like TrojanDownloader:Win32/Karagany.A; or through social engineering.

Win32/Tracur drops a file with a randomly generated file name into one of the following locations:

  • %USERPROFILE% \Local Settings\Application History\Identities\<random>.dll
  • %USERPROFILE% \AppData Roaming\HP\<random>.dll
  • %USERPROFILE% \Local Settings\Application Data\<already existing folder>\<random>.dll

We have seen the following file names used:

  • qkhfyjds.dll
  • sdifypfol.dll
  • wkhnzka.dll
  • yqpsrrxwz.dll
  • ytcxc.dll

Win32/Tracur changes the following registry entry to ensure it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(Default)"
With data: "rundll32.exe "<location and name of dropped file>",<export function>", for example "rundll32.exe "%USERPROFILE%\AppData Roaming\HP\qkhfyjds.dll",DllRegisterServerW"

Win32/Tracur can drop several changed copies of itself to these folders:

where <existing DLL name> refers to any existing Windows DLL file located in the system folder, for example C:\Windows\System32\olecli3232.exe.

In the wild, we have observed the trojan using the following file names:

  • authz32.dll
  • hal32.dll
  • olecli3232.dll
  • olecli3232.exe

The trojan may drop changed copies of itself as DLL files into a folder path that the trojan creates by combining the names of two folders in the %LOCALAPPDATA% or %APPDATA% folders, in the following format:

  • %LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll
  • %APPDATA% \<second folder>\<first folder>\<random>.dll

For example, if %LOCALAPPDATA% contains a folder called Microsoft and a folder called Netscape, the DLL would be dropped in either one of the following folders:

  • C:\Users\<user>\AppData\Local\Microsoft\Netscape\dwnxzmqxa.dll
  • C:\Users\<user>\AppData\Local\Netscape\Microsoft\dwnxzmqxa.dll

In the wild , we have observed the DLL with the following random file names:

  • dwnxzmqxa.dll
  • egavp.dll
  • goqkcl.dll
  • hbpfdb.dll
  • mvljo.dll
  • onduhznwf.dll
  • qseinzzqz.dll
  • skorlmnjq.dll
  • sshnkky.dll

Each time you start your PC, Win32/Tracur makes changes to the registry to ensure that the malware DLL is run each time one of these browsers is run as a parent=process:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe

If any one of the above are not identified as a running parent-process, the malware will exit.

The following are the changes that the malware makes to the registry to ensure the DLL is run:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_Dlls"
With data: "<system folder>\<existing DLL name>32.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<key>
Sets value: "DllName"
With data: "<system folder>\<existing DLL name>32.dll"

where <key> is derived from your PC's volume serial number (for example, acc0e9de849 and acc0e9de1018).

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%APPDATA%\<first folder>\<second folder>\<random>.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%LOCALAPPDATA%\<first folder>\<second folder>\<random>.dll",DllRegisterServer"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "rundll32.exe "%APPDATA%\<first folder>\<second folder>\<random>.dll",DllRegisterServer"

where <malware value> is the same as <second folder>, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe "C:\Users\<user>\AppData\Local\Microsoft\Ares\dwnxzmqxa.dll",CreateInstance"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ares"
With data: "rundll32.exe"C:\Users\<user>\AppData\Roaming\Microsoft\Ares\dwnxzmqxa.dll",DllRegisterServer"

The trojan also creates the following registry entry, possibly as an infection marker in order to prevent multiple instances of the malware from running and arousing suspicion:

In subkey: HKCU\Software\<mutex name>\CLSID, for example "HKCU\Software\bwukqmmsyf\CLSID"
Sets value: "(Default)"
With data: "<random globally unique identifier>", for example "{7d5b4281-35a1-4e0f-9c1d-cca2b6f45d50}"

Win32/Tracur can create the following events and mutexes with randomly generated names to ensure that only one copy of the threat runs on your PC at any one time:

  • 6003E92E5B1-D6FE-4804-9E28-FEF7FA8750A44592
  • bwukqmmsyf
  • C21234D3-5CC2-4bdd-9BE7-82A34EF3FAE0
  • dmxkwuuwjr
  • F90C5025-8C4C-4605-84D2-C798A4BCD209849

The malware can install one of the dropped files as a Browser Helper Object (BHO) by adding the following registry entries:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{<CLSID value>}\InProcServer32
Sets value: "<default>"
With data: "<system folder>\<existing DLL name>32.dll"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<CLSID value>}
Sets value: "NoExplorer"
With data: "1"

In the wild, we have observed <CLSID value> to have the value {05C378E0-9FB2-4EFD-985A-276C6C8C623b} or {55A59ADA-4ABD-99C6-4018-99A9B02C7123}. However, it may vary.

Payload

Redirects web searches

Win32/Tracur monitors your web browsing and may redirect web searches to a malicious URL when one of the following search engines is used:

  • Alltheweb
  • Altavista
  • AOL
  • Ask
  • Bing
  • Gigablast
  • Google
  • Hotbot
  • Lycos
  • Netscape
  • Snap
  • Yahoo
  • Youtube

Members of the Win32/Tracur do this redirection by sending the keywords you entered into the search site to another server (called a "command and control" or "C&C" server). This server sends the URL it wants your browser to go to back to your PC. The sites themselves vary, and you may experience one of the following situations:

  • You are redirected to where you intended to go
  • You are redirected to a site that is very similar to where you intended to go
  • You go to a "landing page" which has a number of links that you can click on, that may then take you to where you intended to go
  • You are redirected to a random site that is not at all where you were intending to go
  • You are redirected to a broken link and end up at an error page

To aid in its search-redirection payload, some variants install a Firefox browser extension by dropping a JAR archive file, with an .xpi extension, as follows:

<Firefox profile>\<profile name>\extensions\<random>@<random>.org.xpi

Notes:

  • <Firefox profile> is taken from the profile paths of different user accounts that the trojan retrieves from the following registry entry:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user ID>\ProfileImagePath
    where <user ID> refers to your account identifier, for example "S-15-18"
  • <profile name> refers to the name of your Firefox profile, and may consist of letters and numbers
  • <random> contains ten randomly generated characters, for example "idirktvriu@idirktvriu.org.xpi"

The Firefox browser extension contains another JAR archive file, for example printing.jar or doance.jar, that contains a malicious JavaScript file overlay.xul, detected as Trojan:JS/Tracur.E.

Win32/Tracur also installs an extension into the Google Chrome browser by dropping a file into a randomly named folder in the Chrome profile folder, for example:

%LOCALAPPDATA% \Google\Chrome\user data\Default\Default\aadhdhdjgddbdfddgcdjggdededagbdf\contentscript.js

Allows backdoor access and control

Variants of Win32/Tracur try to connect to a server via a random TCP port and wait for commands. Using this backdoor, an attacker can do a number of actions on your PC, including the following:

  • Download and run files
  • Control how the redirection payload happens

We have observed it trying to connect to the server 184.173.<removed>.54.

Installs other malware

Older variants of Win32/Tracur may also drop other malware, detected as a variant of the Win32/Dursg family, as one of the following:

Note that lsass.exe is also the name used by a legitimate Windows file. It is located by default in <system folder> so if you find a file named lsass.exe elsewhere, that file might be malware.

Win32/Tracur will then make the following change to the registry to ensure that the Win32/Dursg variant runs at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "RTHDBPL"
With data: "%APPDATA%\syswin\lsass.exe"

Changes Windows Firewall settings

Variants may use the <system folder>\netsh.exe Windows utility to add malware to the Windows Firewall exceptions list by making the following changes to the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "<system folder>\<existing DLL name>32.exe"
With data: "<system folder>\<existing DLL name>32.exe:*:enabled:windows update service"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<system folder>\<existing DLL name>32.exe"
With data: "<system folder>\<existing DLL name>32.exe:*:enabled:windows update service"

Further reading
Related encyclopedia entries

Win32/Dursg

Trojan:JS/Tracur.E

TrojanDownloader:Win32/Karagany.A

Analysis by Rodel Finones and Nikola Livic


Symptoms

The following could indicate that you have this threat on your PC:

  • After clicking on search results, you are taken to a site you were not expecting or intending to go to

Prevention


Alert level: Severe
This entry was first published on: Jul 01, 2011
This entry was updated on: Dec 04, 2013

This threat is also detected as:
  • Win32/Kryptik (ESET)
  • Sefnit (McAfee)
  • W32/Vundo (Norman)
  • Win32.Genome (Kaspersky)
  • Trojan.Alyak (Rising AV)
  • Trojan.Click (Dr.Web)
  • TROJ_TRACUR (Trend Micro)