Trojan.Tracur
Trojan.Tracur is a Trojan that will attempt to connect to a remote web site and download more threats on infected system. Trojan.Tracur will redirect web search results to a malicious web page address that contains a drive-by-download script. This virus also monitor and logs information when user visits certain URL.
Technical Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal of Trojan.Tracur:
1. If using Windows 7/Vista/Me/XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore] [System Restore in Windows Vista/7]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart the computer.
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.
Online Virus Scanner:
Another way to remove a virus from a computer without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on web sites of legitimate computer security provider.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- Trojan can open a backdoor and receive commands from a remote server.
- It can download and execute files remotely.
- Start itself by creating an entry on the Windows registry.
Malicious Files Added by Trojan.Tracur:
Trojan.Tracur will dropped the following:
%System%\[NAME OF AN EXISTING DLL]32.exe (W32.Mozipowp)
%System%\[NAME OF AN EXISTING DLL]32.dll
%UserProfile%\Application Data\SysWin\lsass.exe (W32.Mozipowp)
The Trojan will install itself as FireFox Extension overwriting the following:
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\install.rdf
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\chrome\xulcache.jar
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\chrome\chrome.manifest
The Trojan will install itself as Chrome Extension overwriting the following:
%UserProfile%\Application Data\Google\Chrome\User Data\Default\[RANDOM LETTERS]\contentscript.js
%UserProfile%\Application Data\Google\Chrome\User Data\Default\[RANDOM LETTERS]\manifest.json
Associated Windows Registry Entries:
HKEY_CLASSES_ROOT\CLSID\{1811DBA0-25C3-4AF2-8504-31D35384D8Ec}\Inproc Server32\”(Default)” = “%System%\[NAME OF AN EXISTING DLL]32.dll”
HKEY_CLASSES_ROOT\CLSID\{1811DBA0-25C3-4AF2-8504-31D35384D8Ec}\Inproc Server32\”ThreadingModel” = “Both”
HKEY_CLASSES_ROOT\[RANDOM LETTERS]\CLSID\”(Default)” = “{c4c7969f-a03b-4f27-822b-0c2e90a111f6}”