Threat behavior
Trojan:Win32/Dursg is a trojan that redirects web search queries to a malicious URL to display advertisements or download other malware.
Installation
- %APPDATA%\syswin\lsass.exe
- %APPDATA%\systemproc\lsass.exe
Depending on the affected operating system and user privilege, the registry is modified to execute the trojan at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "RTHDBPL"
To data: "%APPDATA%\syswin\lsass.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "RTHDBPL"
To data: "%APPDATA%\systemproc\lsass.exe"
The trojan creates other registry data.
In subkey: HKCU\Identities
Sets value: "KillSelf"
To data: "ok"
In subkey: HKLM\SOFTWARE
Sets value: "KillSelf"
To data: "ok"
The trojan will install a Mozilla Firefox browser extension by dropping the following files:
- %ProgramFiles%\mozilla firefox\extensions\%CLSIDVALUE%\install.rdf
- %ProgramFiles%\mozilla firefox\extensions\%CLSIDVALUE%\chrome.manifest
- %ProgramFiles%\mozilla firefox\extensions\%CLSIDVALUE%\chrome\content\timer.xul - detected as Trojan:JS/Dursg
Payload
Redirects web search results
Trojan:Win32/Dursg monitors web browsing via Mozilla Firefox and may redirect web search results to a malicious URL when one of the following search engines are used:
- Google
- Yahoo
- AOL
- Ask
- Bing
In the wild, we observed this trojan to redirect searches to the following domains:
- bbsstartexts.com
- gewebsearch.com
Analysis by Rodel Finones
Prevention
