Win32/Dursg is a family of trojans that install malicious components as Firefox or Opera components. They redirect Internet search queries to malicious URLs that display advertisements or serve other malware.
Installation
Win32/Dursg may be distributed my other malware such as members of the Win32/Sality, Win32/Virut, Win32/Polip, Win32/Alureon, and Win32/Tracur families.
It creates the mutex "SERPv2" to ensure that only one instance of itslef is running in the computer at any given time.
Win32/Dursg drops a copy of itself using any of the following file names:
- %APPDATA%\syswin\lsass.exe
- %APPDATA%\systemproc\lsass.exe
- %APPDATA%\system\lsass.exe
It may also drop a copy of itself as any of the following:
- %APPDATA%\Microsoft\Windows\lsass.exe
- %temp%\<random file name>.exe
If the currently-logged in user has administrator privileges on the computer, Win32/Dursg creates any of the following registry entries to ensure that its copy automatically runs at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "RTHDBPL"
With data: "<malware path and file name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "Lsass Service"
With data: "<malware path and file name>"
If the currently-logged in user does not have administrator privileges on the computer, Win32/Dursg creates any of the following registry entries to ensure that its copy automatically runs at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Lsass Service"
With data: "<malware path and file name>"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Lsass Service"
With data: "<malware path and file name>"
It may also create the following registry modification as part of its installation process:
In subkey: HKCU\Identities
Sets value: "KillSelf"
With data: "ok"
Payload
Installs other malware
If the currently logged-in user has administrator privileges on the computer, Win32/Dursg installs a malicious Mozilla Firefox browser extension by dropping any of the following sets of files:
- %ProgramFiles%\Mozilla Firefox\Extensions\<CLSID value>\install.rdf
- %ProgramFiles%\Mozilla Firefox\Extensions\<CLSID value>\chrome.manifest
- %ProgramFiles%\Mozilla Firefox\Extensions\<CLSID value>\chrome\content\timer.xul - detected as Trojan:Win32/Dursg
- %appdata%\ Mozilla Firefox\Extensions\<CLSID value>\install.rdf
- %appdata%\ Mozilla Firefox\Extensions\<CLSID value>\chrome.manifest
- %appdata%\ Mozilla Firefox\Extensions\<CLSID value>\chrome\content\timer.xul - detected as Trojan:JS/Dursg
where <CLSID value> can vary depending on the sample. In the wild, we have seen the following <CLSID values> being used:
- {8ce11043-9a15-4207-a565-0c94c42d590d}
- {9ce11043-9a15-4207-a565-0c94c42d590d}
It may also install malicious Opera browser extensions as the following:
- %appdata%\Opera\Opera\profile\user.js - detected as Trojan:JS/Dursg
- %appdata%\Opera\Opera\profile\opera6.ini - configuration file pointing to the "user.js" file
Redirects web searches
Win32/Dursg monitors the user's web browsing if and may redirect web searches to a malicious URL when one of the following search engines are used:
- Google
- Yahoo
- AOL
- Ask
- Bing
Some variants may also affect the following search engines and domains:
- Yandsearch
- Bigmir
- Aport
- Mail.ur
Win32/Dursg only monitors web searches if Firefox or Opera is used for the searches.
In the wild, this Trojan has been observed to redirect searches to the following domains:
- avabon.com
- gewebsearch.com
- clickedtraff.com
- macsonq.com
- clickstraffic.net
- iwantbeborin.com
Analysis by Rodel Finones