Trojan:Win32/Dursg.E is a trojan that monitors Internet keyword searches to display pop-up advertisements. The trojan terminates security programs and attempts to download arbitrary files from predefined remote Web servers.
Installation
Trojan:Win32/Dursg.E may be installed by other malware such as Trojan:Win32/Meredrop. When run, Trojan:Win32/Dursg.E creates the following components:
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest
%USERPROFILE%\Application Data\systemproc\lsass.exe - detected as Trojan:Win32/Dursg.E
The registry is modified to run the trojan at each Windows start.
Adds value: "RTHDBPL"
With data: "%USERPROFILE%\Application Data\systemproc\lsass.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Payload
Downloads arbitrary files
Trojan:Win32/Dursg.E injects code into the running process of the following Web browser applications:
Internet Explorer
Opera
Google Chrome
Firefox
The injected code attempts to download arbitrary files from the following domains:
simfreebox.com
position7.com
rtsmor.com
qulino.com
controllqz.com
The downloaded file is saved locally as the following:
Terminates specific applications
Trojan:Win32/Dursg.E closed security and utility application product windows containing the following strings:
Hijack
Avira
AVG
NOD32
SystemProc
A-squared
ArcaVir
Avast
AntiVir
BitDefender
ClamAV
DrWeb
F-Prot
F-Secure
Kaspersky
McAfee
Norman
Panda
Sophos
Symantec
Vexira
VirusBuster
Filemon
Wireshark
Regmon
Process list
Ad-Aware
Spyzooka
IDA
HIEV
OllyDbg
Downloads arbitrary files
The trojan attempts to download arbitrary files from the domain "qulino.com". At the time of this writing, the server was unavailable.
Displays pop-up advertisements
Trojan:Win32/Dursg.C monitors the following Web browsers:
Internet Explorer
Opera
Chrome
Firefox
The trojan monitors keyword searches including the following partial list:
airlines
amazon
antivir
antivirus
baby
bank
bany
baseball
books
cars
casino
cialis
cigarettes
comcast
craigslis
credit
dating
design
diet
doctor
dvd
ebay
estate
fashion
film
finance
flights
flower
footbal
football
gambling
game
gifts
golf
graphic
health
hotel
insurance
iphone
ipod
job
loan
loans
medical
military
mobile
money
mortgage
movie
music
myspace
pharma
pocker
poker
porn
school
sex
shop
software
sport
spybot
spyware
trading
tramadol
travel
twitter
verizon
video
virus
vocations
wallpaper
weather
yobt
If any of the above listed keywords are used as a search term, the trojan displays pop-up advertisements from the domain "cexsearch.com".
Analysis by Tim Liu
