Threat behavior
TrojanDownloader:Win32/Tracur.M is a trojan that redirects user searches from legitimate search sites to a Web site that contains malware. It is installed as a Browser Helper Object (BHO) in Internet Explorer, and replaces Firefox Extension Settings files.
Installation
When executed, TrojanDownloader:Win32/Tracur.M creates the following registry subkeys to register itself as a Browser Helper Object (BHO):
- HKCR\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69AE3232-53EF-44B0-B1E1-0821A0EE4998}
- HKCR\CLSID\{69AE3232-53EF-44B0-B1E1-0821A0EE4998}\InprocServer32\
If Firefox is installed in the system, TrojanDownloader:Win32/Tracur.M also installs itself as a Firefox extension by replacing the following files:
%APPDATA%\Mozilla\Firefox\Profiles\install.rdf
%APPDATA%\Mozilla\Firefox\Profiles\chrome\xulcache.jar
%APPDATA%\Mozilla\Firefox\Profiles\chrome\chrome.manifest
Payload
Redirects user searches
TrojanDownloader:Win32/Tracur.M redirects searches when the following search engines are used:
AOL
Ask
Bing
Google
Yahoo!
Searches to these sites are redirected to the IP address "74.50.117.107", which may contain other malware.
Analysis by Marian Radu
Prevention
