WORM_TRACUR.SMDI
Win32:Dracur-B [Cryp] (Avast), Win32/Dursg.A (Eset), Downloader-CIG (McAfee), Trojan:Win32/Dursg.C (Microsoft),
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Propagates via peer-to-peer networks, Downloaded from the Internet
This Trojan arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
108,032 bytes
EXE
Yes
16 Jul 2010
Connects to URLs/IPs, Displays ads
Arrival Details
This Trojan arrives via peer-to-peer (P2P) shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %Application Data%\SystemProc\lsass.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following non-malicious files:
- %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome\content\timer.xu
- %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome.manifest
- %Program Files%\Mozilla Firefox\extensions\{CLSID}\install.rdf
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It creates the following folders:
- %Application Data%\SystemProc
- %Program Files%\Mozilla Firefox\extensions\{CLSID
- %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome
- %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome\content
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- SERPv2
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
RTHDBPL = "%Application Data%\SystemProc\lsass.exe"
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Identities
Curr version = "11"
HKEY_CURRENT_USER\Identities
Last Date = "{DD-M-YYYY}"
HKEY_CURRENT_USER\Identities
Inst Date = "{DD-M-YYYY}"
HKEY_CURRENT_USER\Identities
Popup count = "0"
HKEY_CURRENT_USER\Identities
Popup time = "0"
HKEY_CURRENT_USER\Identities
Popup date = "0"
Propagation
This Trojan drops copies of itself into the following folders used in peer-to-peer (P2P) networks:
- C:\program files\winmx\shared\
- C:\program files\tesla\files\
- C:\program files\limewire\shared\
- C:\program files\morpheus\my shared folder\
- C:\program files\emule\incoming\
- C:\program files\edonkey2000\incoming\
- C:\program files\bearshare\shared\
- C:\program files\grokster\my grokster\
- C:\program files\icq\shared folder\
- C:\program files\kazaa lite k++\my shared folder\
- C:\program files\kazaa lite\my shared folder\
- C:\program files\kazaa\my shared folder\
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- http://{BLOCKED}lltx.com/update.php?sd={date}&aid=hidden
Other Details
This Trojan deletes the initially executed copy of itself
NOTES:
This worm uses the following file names for the copies it drops into peer-to-peer (P2P) shares:
- AOL Instant Messenger (AIM) Hacker.exe
- AOL Password Cracker.exe
- Brutus FTP Cracker.exe
- Counter-Strike KeyGen.exe
- DCOM Exploit.exe
- DivX 5.0 Pro KeyGen.exe
- FTP Cracker.exe
- Half-Life 2 Downloader.exe
- Hotmail Cracker.exe
- Hotmail Hacker.exe
- ICQ Hacker.exe
- IP Nuker.exe
- Keylogger.exe
- L0pht 4.0 Windows Password Cracker.exe
- Microsoft Visual Basic KeyGen.exe
- Microsoft Visual C++ KeyGen.exe
- Microsoft Visual Studio KeyGen.exe
- MSN Password Cracker.exe
- NetBIOS Cracker.exe
- NetBIOS Hacker.exe
- Norton Anti-Virus 2005 Enterprise Crack.exe
- Password Cracker.exe
- sdbot with NetBIOS Spread.exe
- Sub7 2.3 Private.exe
- UT 2003 KeyGen.exe
- Website Hacker.exe
- Windows 2003 Advanced Server KeyGen.exe
- Windows Password Cracker.exe
It monitors the following browsers:
- Chrome
- Explorer
- Firefox
- Opera
It redirects the browsers to http://{BLOCKED}affik.ru/request.php?aid=hidden when the following search engines are used:
- search
- yahoo
- youtube
This worm monitors the following keyword searches:
- airlines
- amazon
- antivir
- antivirus
- baseball
- books
- casino
- cialis
- cigarettes
- comcast
- craigslist
- credit
- dating
- design
- doctor
- estate
- fashion
- finance
- flights
- flower
- footbal
- football
- gambling
- gifts
- graphic
- health
- hotel
- insurance
- iphone
- loans
- medical
- military
- mobile
- money
- mortgage
- movie
- music
- myspace
- pharma
- pocker
- poker
- school
- software
- sport
- spybot
- spyware
- trading
- tramadol
- travel
- verizon
- video
- virus
- vocations
- wallpaper
- weather
If one of the keywords above is used, it displays advertisements related to it by opening the page http://{BLOCKED}nter.com/se.php?pop={number}&aid={data}&sid={date}&key={keyword search}.
SOLUTION
9.700
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Terminate a malware/grayware process
*Note: If the detected process is not displayed in theWindows Task Manager, continue doing the next steps.
- lsass.exe
Step 3
Close all opened browser windows
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- RTHDBPL = "%Application Data%\SystemProc\lsass.exe"
- RTHDBPL = "%Application Data%\SystemProc\lsass.exe"
- In HKEY_CURRENT_USER\Identities
- Curr version = "11"
- Curr version = "11"
- In HKEY_CURRENT_USER\Identities
- Last Date = "{DD-M-YYYY}"
- Last Date = "{DD-M-YYYY}"
- In HKEY_CURRENT_USER\Identities
- Inst Date = "{DD-M-YYYY}"
- Inst Date = "{DD-M-YYYY}"
- In HKEY_CURRENT_USER\Identities
- Popup count = "0"
- Popup count = "0"
- In HKEY_CURRENT_USER\Identities
- Popup time = "0"
- Popup time = "0"
- In HKEY_CURRENT_USER\Identities
- Popup date = "0"
- Popup date = "0"
Step 5
Search and delete these folders
Step 6
Scan your computer with your Trend Micro product to delete files detected as WORM_TRACUR.SMDI. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.