Trojan.Tracur

Updated: January 16, 2012 Trojan 1 Comment

Trojan.Tracur is a Trojan that will attempt to connect to a remote web site and download more threats on infected system. Trojan.Tracur will redirect web search results to a malicious web page address that contains a drive-by-download script. This virus also monitor and logs information when user visits certain URL.

Technical Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Manual Removal of Trojan.Tracur:

1. If using Windows 7/Vista/Me/XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore] [System Restore in Windows Vista/7]
2. Update the virus definitions.
3. Reboot computer in Safe Mode.
4. Run a full system scan and clean/delete all infected files.
5. Delete/Modify any values added to the registry.
6. Exit registry editor and restart the computer.

Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.

Online Virus Scanner:
Another way to remove a virus from a computer without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on web sites of legitimate computer security provider.

Technical Details and Additional Information:

Other functionalities of this Trojan:
- Trojan can open a backdoor and receive commands from a remote server.
- It can download and execute files remotely.
- Start itself by creating an entry on the Windows registry.

Malicious Files Added by Trojan.Tracur:
Trojan.Tracur will dropped the following:
%System%\[NAME OF AN EXISTING DLL]32.exe (W32.Mozipowp)
%System%\[NAME OF AN EXISTING DLL]32.dll
%UserProfile%\Application Data\SysWin\lsass.exe (W32.Mozipowp)

The Trojan will install itself as FireFox Extension overwriting the following:
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\install.rdf
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\chrome\xulcache.jar
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\chrome\chrome.manifest

The Trojan will install itself as Chrome Extension overwriting the following:
%UserProfile%\Application Data\Google\Chrome\User Data\Default\[RANDOM LETTERS]\contentscript.js
%UserProfile%\Application Data\Google\Chrome\User Data\Default\[RANDOM LETTERS]\manifest.json

Associated Windows Registry Entries:
HKEY_CLASSES_ROOT\CLSID\{1811DBA0-25C3-4AF2-8504-31D35384D8Ec}\Inproc Server32\”(Default)” = “%System%\[NAME OF AN EXISTING DLL]32.dll”
HKEY_CLASSES_ROOT\CLSID\{1811DBA0-25C3-4AF2-8504-31D35384D8Ec}\Inproc Server32\”ThreadingModel” = “Both”
HKEY_CLASSES_ROOT\[RANDOM LETTERS]\CLSID\”(Default)” = “{c4c7969f-a03b-4f27-822b-0c2e90a111f6}”