Follow:

 

TrojanDownloader:Win32/Tracur.X


TrojanDownloader:Win32/Tracur.X is a trojan that downloads and executes arbitrary files.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Tracur.X is a trojan that downloads and executes arbitrary files.

Installation

When executed, TrojanDownloader:Win32/Tracur.X drops itself in the Windows system folder with a variable file name, for example: "samsrv32.exe".

It then installs the dropped DLL file as a Browser Helper Object (BHO) and modifies the registry to run the BHO, as in the following example:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{03970AA5-C169-44BF-B514-B1A9227DD9Dc}\InprocServer32
Sets value: "(default)"
With data: "<system folder>\authz32.dll"

Note that the file name and CLSID value may change among different samples.

TrojanDownloader:Win32/Tracur.X also modifies the registry to make sure it is loaded into every process at each Windows restart:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: "AppInit_Dlls"
With data: "<system folder>\<DLL file name>"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Modifies value: "<system folder>\<malware file name>"
With data: "<system folder>\<malware file name>:*:enabled:windows update service"

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Payload

Downloads and executes arbitrary files
TrojanDownloader:Win32/Tracur.X attempts to connect to the following IP addresses to download arbitrary files:

  • 91.217.153.48
  • 95.211.1.174
  • 89.187.53.210

Drops other malware

TrojanDownloader:Win32/Tracur.X drops the following files in the Windows system folder:

Additional information

TrojanDownloader:Win32/Tracur.X may modify the following registry entry as part of its installation routine:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
Sets value: "acc0e9de"
With data: "00 52 F7 67 C4 2A CC 01"

Analysis by Wei Li


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    Data: "<system folder>\<malware file name>:*:enabled:windows update service"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
    Sets value: "acc0e9de"
    With data: "00 52 F7 67 C4 2A CC 01"


Prevention


Alert level: Severe
This entry was first published on: Jul 20, 2011
This entry was updated on: Aug 01, 2011

This threat is also detected as:
  • Gen.Variant.Katusha (Ikarus)
  • Mal/Katush-A (Sophos)