Trojan:Win32/Tracur.AU
is a trojan that redirects web searches and may download and run arbitrary files.
It is a member of the Win32/Tracur family of trojans.
Installation
Trojan:Win32/Tracur.AU
is dropped and run by another piece of malware, called a "loader", which is also detected as Trojan:Win32/Tracur.AU.
The loader drops Trojan:Win32/Tracur.AU as a DLL file with a random name into a folder in %LOCALAPPDATA%. It creates the folder by using the names of existing folders, as in the following examples:
-
%LOCALAPPDATA%\Local AppWizard-Generated Applications\ztqtolqs.dll
-
%LOCALAPPDATA%\Microsoft\nlpvosgf.dll
Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local".
Trojan:Win32/Tracur.AU
modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware's sub-folder>"
With data: "rundll32.exe "%LOCALAPPDATA%\<malware's sub-folder>\<random>.dll",<export function>"
where <export function> is a function defined in the DLL's code, for example:
-
CheckCTCRCVersion
-
TX-Export
-
mpegInVideoAuxinfo
The following is an example of the modified registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Local AppWizard-Generated Applications"
With data: "rundll32.exe "C:\Users\<user>\AppData\Local\Local AppWizard-Generated Applications\ztqtolqs.dll", CheckCTCRCVersion"
When run, Trojan:Win32/Tracur.AU loads the dropped DLL.
Payload
Redirects user searches
Trojan:Win32/Tracur.AU
redirects searches you make in the following search engines:
Contacts remote host
Trojan:Win32/Tracur.AU
may contact the following remote hosts:
-
199.71.233.126
-
83.133.127.200
-
cms.abmr.net
The trojan contacts these hosts to determine the addresses to redirect your searches to. However, the trojan may also contact these hosts for the following purposes:
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data or browsing activity taken from your computer
Additional information
Trojan:Win32/Tracur.AU
creates a mutex with a random GUID as its name, possibly as an infection marker to prevent multiple instances running on your computer, for example:
-
{437E2C19-A2E9-859E-3CE7-A178DEFBBCA9}
-
{A3AC9628-2432-34FC-AC06-04E04050F2DC}
-
{84B016AA-E679-0362-D199-416162D379A2}
The trojan may also modify the following registry entry, possibly to store additional configuration details or information about the malware:
In subkey: HKCU\Software\<randomly chosen existing folder name>
Sets value: "<random GUID>"
With data: "<encrypted data>"
For example:
In subkey: HKCU\Software\Intel
Sets value: "{6C2A9407-A1A1-6264-1411-DAA157C1708D}"
With data: "<encrypted data>"
Related encyclopedia entries
Win32/Tracur
Analysis by Rex Plantado
