Trojan-Downloader:W32/Tracur.J


Name :	Trojan-Downloader:W32/Tracur.J
Detection Names :	Trojan.Spy.Agent.OEV Trojan-downloader.win32.agent.dter
Category:	Malware
Type:	Trojan-Downloader
Platform:	W32

Summary

A trojan that secretly downloads malicious files from a remote server, then installs and executes the files.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Additional Details

Trojan-Downloader:W32/Tracur.J identifies a malicious DLL file that installs a malicious plug-in for the Internet Explorer and/or Mozilla Firefox web browsers in order to redirect searches to an unsolicited website.

This file is probably dropped by a separate dropper program.

Installation

The DLL file is registered as a Browser Helper Object (BHO) with the Internet Explorer web browser. If the Mozilla Firefox web browser is installed, the file will also install a malicious extension (the browser's equivalent of a BHO) for Firefox.

Activity

Once installed, the BHO in either web browser will redirect searches made using various search engines to:

http://74.50.[...].107

The site may host more malicious content.

The list of targeted search engines is hard-coded; targeted search engines are:

Ask
Snap
Hotbot
Gigablast
Alltheweb
Altavista
Lycos
AOL
Bing
Yahoo!
Google

Registry Changes

During installation, Tracur.J creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989A5447-1A50-4D02-BA55-724A516C1370}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{989A5447-1A50-4D02-BA55-724A516C1370}
HKEY_CLASSES_ROOT\CLSID\{989A5447-1A50-4D02-BA55-724A516C1370}
HKEY_CLASSES_ROOT\.fsharproj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharproj

Tools

Choose Location:

Navigation

Subnavigation

Labs

Trojan-Downloader:W32/Tracur.J

Summary

Disinfection

Additional Details