WORM_TRACUR.SMDI

This Trojan arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives via peer-to-peer (P2P) shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %Application Data%\SystemProc\lsass.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following non-malicious files:

• %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome\content\timer.xu
• %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome.manifest
• %Program Files%\Mozilla Firefox\extensions\{CLSID}\install.rdf

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

• %Application Data%\SystemProc
• %Program Files%\Mozilla Firefox\extensions\{CLSID
• %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome
• %Program Files%\Mozilla Firefox\extensions\{CLSID}\chrome\content

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• SERPv2

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
RTHDBPL = "%Application Data%\SystemProc\lsass.exe"

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Identities
Curr version = "11"

HKEY_CURRENT_USER\Identities
Last Date = "{DD-M-YYYY}"

HKEY_CURRENT_USER\Identities
Inst Date = "{DD-M-YYYY}"

HKEY_CURRENT_USER\Identities
Popup count = "0"

HKEY_CURRENT_USER\Identities
Popup time = "0"

HKEY_CURRENT_USER\Identities
Popup date = "0"

Propagation

This Trojan drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

• C:\program files\winmx\shared\
• C:\program files\tesla\files\
• C:\program files\limewire\shared\
• C:\program files\morpheus\my shared folder\
• C:\program files\emule\incoming\
• C:\program files\edonkey2000\incoming\
• C:\program files\bearshare\shared\
• C:\program files\grokster\my grokster\
• C:\program files\icq\shared folder\
• C:\program files\kazaa lite k++\my shared folder\
• C:\program files\kazaa lite\my shared folder\
• C:\program files\kazaa\my shared folder\

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}lltx.com/update.php?sd={date}&aid=hidden

Other Details

This Trojan deletes the initially executed copy of itself

NOTES:

This worm uses the following file names for the copies it drops into peer-to-peer (P2P) shares:

• AOL Instant Messenger (AIM) Hacker.exe
• AOL Password Cracker.exe
• Brutus FTP Cracker.exe
• Counter-Strike KeyGen.exe
• DCOM Exploit.exe
• DivX 5.0 Pro KeyGen.exe
• FTP Cracker.exe
• Half-Life 2 Downloader.exe
• Hotmail Cracker.exe
• Hotmail Hacker.exe
• ICQ Hacker.exe
• IP Nuker.exe
• Keylogger.exe
• L0pht 4.0 Windows Password Cracker.exe
• Microsoft Visual Basic KeyGen.exe
• Microsoft Visual C++ KeyGen.exe
• Microsoft Visual Studio KeyGen.exe
• MSN Password Cracker.exe
• NetBIOS Cracker.exe
• NetBIOS Hacker.exe
• Norton Anti-Virus 2005 Enterprise Crack.exe
• Password Cracker.exe
• sdbot with NetBIOS Spread.exe
• Sub7 2.3 Private.exe
• UT 2003 KeyGen.exe
• Website Hacker.exe
• Windows 2003 Advanced Server KeyGen.exe
• Windows Password Cracker.exe

It monitors the following browsers:

• Chrome
• Explorer
• Firefox
• Opera

It redirects the browsers to http://{BLOCKED}affik.ru/request.php?aid=hidden when the following search engines are used:

• google
• search
• yahoo
• youtube

This worm monitors the following keyword searches:

• airlines
• amazon
• antivir
• antivirus
• baseball
• books
• casino
• cialis
• cigarettes
• comcast
• craigslist
• credit
• dating
• design
• doctor
• estate
• fashion
• finance
• flights
• flower
• footbal
• football
• gambling
• gifts
• graphic
• health
• hotel
• insurance
• iphone
• loans
• medical
• military
• mobile
• money
• mortgage
• movie
• music
• myspace
• pharma
• pocker
• poker
• school
• software
• sport
• spybot
• spyware
• trading
• tramadol
• travel
• twitter
• verizon
• video
• virus
• vocations
• wallpaper
• weather

If one of the keywords above is used, it displays advertisements related to it by opening the page http://{BLOCKED}nter.com/se.php?pop={number}&aid={data}&sid={date}&key={keyword search}.