Trojan:Win32/Dursg.C is a trojan that redirects Web searches when a user enters certain key words as a search query in specific search sites.
Installation
Trojan:Win32/Dursg.C may be installed by other malware such as
Worm:Win32/Prolaco.K. When run, the trojan creates the following components:
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul
%USERPROFILE%\Application Data\systemproc\lsass.exe - Trojan:Win32/Dursg.C
The trojan may also drop a copy of itself "c:\autoexec.exe". The registry is modified to run the trojan at each Windows start.
Adds value: "RTHDBPL"
With data: "%USERPROFILE%\Application Data\systemproc\lsass.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Payload
Redirects user searches
When a user uses the Web browser to conduct searches using certain search engines, the browser is redirected to the server "searchrequest2.com". The following search engines are impacted by the trojan:
-
Google.com
-
Ask.com
-
Yahoo.com
-
AOL.com search
-
Bing.com
Downloads arbitrary files
The trojan attempts to download arbitrary files from the domain "qulino.com". At the time of this writing, the server was unavailable.
Displays pop-up advertisements
Trojan:Win32/Dursg.C monitors the following Web browsers:
-
Internet Explorer
-
Opera
-
Chrome
-
Firefox
The trojan monitors keyword searches including the following partial list:
-
antivir
-
antivirus
-
baby
-
bany
-
baseball
-
books
-
casino
-
cialis
-
craigslist
-
credit
-
dating
-
design
-
diet
-
ebay
-
estate
-
finance
-
football
-
gambling
-
gifts
-
golf
-
graphic
-
health
-
hotel
-
insurance
-
job
-
loans
-
money
-
mortgage
-
myspace
-
pharma
-
pocker
-
poker
-
porn
-
shop
-
spyware
-
travel
-
video
-
virus
-
vocations
If any of the above listed keywords are used as a search term, the trojan displays pop-up advertisements from the domain "searchxx.com".
Additional Information
The trojan creates other registry data to record adware pop-up information on the affected computer:
HKCU\Identities\First Start
HKCU\Identities\Last Time
HKCU\Identities\Last Date
HKCU\Identities\Curr version
HKCU\Identities\Send Inst
HKCU\Identities\Inst Date
HKCU\Identities\Popup count
HKCU\Identities\Popup time
HKCU\Identities\Popup date
Analysis by Tim Liu
