TRACUR


 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via peer-to-peer networks, Downloaded from the Internet


TRACUR variants may arrive on a system through peer-to-peer networks, or as a file downloaded by other malware.

TRACUR is a family of worms that redirects user's browsing to advertisements which allows malware authors to earn. It installs browser components and monitors web browser activity in order to display relevant popups.

TRACUR variants can also download and execute other malware into the affected system.

In 2010, TRACUR variants were spotted to be the final payload in a vulnerability exploit that involved .MOV files and a certain feature in the video player application Quicktime.

Users would find maliciously-crafted .MOV files in peer-to-peer networks, and once they tried to play the files in Quicktime, it triggers the feature and open an Internet Explorer window pointed to a malicious URL. The malicious URL would then ask the user to download a file, which invariably turns out to be malicious and a TRACUR variant.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Drops files, Modifies system registry, Connects to URLs/IPs

Installation

This Trojan drops the following files:

  • %System%\{random}32.dll
  • %Application Data%\SystemProc\upd.exe
  • %Application Data%\{CLSID}.manifest
  • %Application Data%\Mozilla\Firefox\Profiles\{hex}.default\extensions\{CLSID}\chrome.manifest
  • %Application Data%\Mozilla\Firefox\Profiles\{hex}.default\extensions\{CLSID}\chrome\xulcache.jar
  • %Application Data%\Mozilla\Firefox\Profiles\{hex}.default\extensions\{CLSID}\defaults\preferences\xulcache.js
  • %Application Data%\Mozilla\Firefox\Profiles\{hex}.default\extensions\{CLSID}\install.rdf
  • %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome.manifest
  • %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome\content\timer.xul
  • %Program Files%\Mozilla Firefox\extensions\{CLSID}\install.rdf

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It drops the following copies of itself into the affected system:

  • %Application Data%\SystemProc\lsass.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

  • %Application Data%\SystemProc
  • %Program Files%\Mozilla Firefox\extensions\{CLSID}
  • %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome
  • %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome\content
  • %Application Data%\Mozilla\Firefox\Profiles\{hex}.default\extensions\{CLSID}\defaults
  • %Application Data%\Mozilla\Firefox\Profiles\{hex}.default\extensions\{CLSID}\defaults\preferences
  • %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome\content

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
RTHDBPL = "%Application Data%\SystemProc\lsass.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
RTHDBPL = "{Malware path and file name}.exe"

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify
{random} = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}
DllName = "%System%\{random}32.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}
Startup = "EventStartup"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
{random} = "{Hex Values}"

HKEY_CURRENT_USER\Identities
Curr version = "11"

HKEY_CURRENT_USER\Identities
Inst Date = "{DD-M-YYYY}"

HKEY_CURRENT_USER\Identities
Last Date = "{DD-M-YYYY}"

HKEY_CURRENT_USER\Identities
Popup count = "0"

HKEY_CURRENT_USER\Identities
Popup date = "0"

HKEY_CURRENT_USER\Identities
Popup time = "0"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "%System%\{random}32.dll"

(Note: The default value data of the said registry entry is " ".)

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.93.190/conn
  • {BLOCKED}.{BLOCKED}.93.190/conn
  • {BLOCKED}.{BLOCKED}.1.173/inq/
  • {BLOCKED}.{BLOCKED}.1.173/ppfd/
  • {BLOCKED}.{BLOCKED}.1.176/inq/
  • {BLOCKED}hn.info/inq/
  • {BLOCKED}ggym.com/conn
  • {BLOCKED}hd38j.info/pxsm/
  • {BLOCKED}ime.com/conn
  • {BLOCKED}opksh.info/mzeq/
  • {BLOCKED}hn.info/inq/
  • http://{BLOCKED}llqz.com/inst.php?aid=hidden
  • http://{BLOCKED}llrx.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}lltx.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}x.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}on7.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}o.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}r.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}ebox.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}ebox.com/update.php?sd={date}&aid=hidden
  • http://{BLOCKED}traffik.ru/request.php?aid={date}&ver={hex}
  • http://{BLOCKED}request1.com/request.php?aid={date}&ver={hex}
  • http://{BLOCKED}900.com/se.php?pop=1&aid={hex}&sid={date}&key={keyword search}
  • http://{BLOCKED}enter.com/se.php?pop=1&aid={hex}&sid={date}&key={keyword search}
  • http://{BLOCKED}cn1.com/se.php?pop=1&aid={hex}&sid={date}&key={keyword search}