Skip to content

Export page to PDF
TROJ_TRACUR.SMDI
Malware type: Trojan
Destructive: No
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
In the wild: Yes

Overview



It may be downloaded by other malware/grayware/spyware from remote sites.
It may be dropped by other malware.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It adds registry entries to enable its automatic execution at every system startup.
It modifies registry entries to enable its automatic execution at every system startup.

Technical Details




Arrival Details


It may be downloaded by other malware/grayware/spyware from remote sites.


It may be dropped by other malware.


It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.



Autostart Technique


It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\InprocServer32
(default)='%System%\{random}32.dll'



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ac8dec80964
DllName='%System%\{random}32.dll'



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
RTHDBPL='%User Profile%\Application Data\SystemProc\lsass.exe'


It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs='%System%\{random}32.dll'


It adds the following registry keys to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{random CLSID}
Default=''



Download Routine


It downloads updated copies of itself from the following websites:

  • {BLOCKED}ebox.com

  • {BLOCKED}main.com

  • {BLOCKED}o.com

  • {BLOCKED}x.com


It connects to the following Web site(s) to download and execute a malicious file:

  • http://{BLOCKED}.{BLOCKED}.236.75/cdn/ppx144415070

  • http://{BLOCKED}.{BLOCKED}.228.62/index/vf0728c248567214

  • http://{BLOCKED}.{BLOCKED}.228.62/index/fs0728c125254868



Installation


It drops the following files:

  • %System%\{random}32.dll - also detected as TROJ_TRACUR.SMDI

  • %User Profile%\Application Data\55274-640-2237007-23525964C.manifest

  • %User Profile%\Application Data\55274-640-2237007-23525964O.manifest

  • %User Profile%\Application Data\55274-640-2237007-23525964P.manifest

  • %User Profile%\Application Data\55274-640-2237007-23525964S.manifest

  • %User Profile%\Application Data\SystemProc\lsass.exe - also detected as TROJ_TRACUR.SMDI


It creates the following folders:

  • %User Profile%\Application Data\SystemProc


It is injected into the following processes running in memory:

  • explorer.exe



Other System Modifications


It adds the following registry keys:

HKEY_CLASSES_ROOT\.fsharproj
Default=''



HKEY_CLASSES_ROOT\Bmwmemzewf
Default=''



HKEY_CLASSES_ROOT\Software\Bmwmemzewf
Default=''



HKEY_CURRENT_USER\Software\Bmwmemzewf
Default=''



HKEY_CURRENT_USER\Software\Classes\Software\Bmwmemzewf
Default=''



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ac8dec80964
Default=''



HKEY_USERS\.DEFAULT\Software\Bmwmemzewf
Default=''


It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs='1'



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
%Windows%\Explorer.EXE ='%Windows%\Explorer.EXE:*:Enabled:Windows Shell'



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%Windows%\explorer.exe='%Windows%\explorer.exe:*:Enabled:Windows Shell'

Solution


Minimum scan engine: 8.900
VSAPI OPR Pattern Version: 7.315.00



Step 1
Scan your computer with your Trend Micro product and note files detected as TROJ_TRACUR.SMDI

Step 2
Identify and delete files detected as TROJ_TRACUR.SMDI using either the Startup Disk or Recovery Console
[ Learn more ]


Step 3
Delete the created random CLSID key This step allows you to identify and delete the created random CLSID registry key using the file name you previously noted.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.



To delete the random CLSID key this malware/grayware/spyware created:

  1. Scan your computer with your Trend Micro product and take note of the name of the malware/grayware/spyware detected.
  2. Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.
  3. Press CTRL+F.
  4. In the Find dialog box, type the file name of the malware detected earlier.
    (Note: Make sure that only the data checkbox is selected, then click Find Next.)
  5. Find.

  6. Once found, in the right panel, check if the result is the following value-data pair:
    (Default) = {Malware/Grayware/Spyware path and file name}
  7. If yes, in the left panel, locate the CLSID where the data is under.
    (Note: The CLSID is the characters enclosed in curly brackets {}. If the value-data pair is not found under a CLSID key, repeat steps 2-5.)
  8. Right-click on the located CLSID in the left panel and choose Delete.
  9. Repeat steps 2 to 6 until the Finished searching through the registry dialog box appears.
  10. Close Registry Editor.

Step 4
Delete this registry value This step allows you to delete the registry value created by the malware/grayware/spyware.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    • LoadAppInit_DLLs = 1
  • In HKEY_CLASSES_ROOT\CLSID\{random CLSID}\InprocServer32
    • (default) = %System%\{random}32.dll
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ac8dec80964
    • DllName = %System%\{random}32.dll
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • RTHDBPL = %User Profile%\Application Data\SystemProc\lsass.exe
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • %Windows%\Explorer.EXE = %Windows%\Explorer.EXE:*:Enabled:Windows Shell
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %Windows%\explorer.exe = %Windows%\explorer.exe:*:Enabled:Windows Shell

To delete the registry value this malware/grayware/spyware created:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Windows
  3. In the right panel, locate and delete the entry:
    LoadAppInit_DLLs = 1
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>CLSID>{random CLSID}>InprocServer32
  5. In the right panel, locate and delete the entry:
    (default) = %System%\{random}32.dll
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon>Notify>ac8dec80964
  7. In the right panel, locate and delete the entry:
    DllName = %System%\{random}32.dll
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>Explorer>Run
  9. In the right panel, locate and delete the entry:
    RTHDBPL = %User Profile%\Application Data>SystemProc>lsass.exe
  10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>Parameters>FirewallPolicy>DomainProfile>AuthorizedApplications>List
  11. In the right panel, locate and delete the entry:
    %Windows%\Explorer.EXE = %Windows%\Explorer.EXE:*:Enabled:Windows Shell
  12. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>Parameters>FirewallPolicy>StandardProfile>AuthorizedApplications>List
  13. In the right panel, locate and delete the entry:
    %Windows%\explorer.exe = %Windows%\explorer.exe:*:Enabled:Windows Shell
  14. Close Registry Editor.

Step 5
Delete this registry key This step allows you to delete the registry key this malware/grayware/spyware added in the Windows registry.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_CLASSES_ROOT
    • .fsharproj
  • In HKEY_CLASSES_ROOT
    • Bmwmemzewf
  • In HKEY_CLASSES_ROOT\Software
    • Bmwmemzewf
  • In HKEY_CURRENT_USER\Software\Classes\Software
    • Bmwmemzewf
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    • ac8dec80964
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    • {random CLSID}
  • In HKEY_USERS\.DEFAULT\Software
    • Bmwmemzewf

To delete the registry key this malware/grayware/spyware created:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT
  3. Still in the left panel, locate and delete the key:
    .fsharproj
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT
  5. Still in the left panel, locate and delete the key:
    Bmwmemzewf
  6. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>Software
  7. Still in the left panel, locate and delete the key:
    Bmwmemzewf
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Classes>Software
  9. Still in the left panel, locate and delete the key:
    Bmwmemzewf
  10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon>Notify
  11. Still in the left panel, locate and delete the key:
    ac8dec80964
  12. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>Browser Helper Objects
  13. Still in the left panel, locate and delete the key:
    {random CLSID}
  14. In the left panel, double-click the following:
    HKEY_USERS>.DEFAULT>Software
  15. Still in the left panel, locate and delete the key:
    Bmwmemzewf
  16. Close Registry Editor.

Step 6
Restore this modified registry value This step allows you to undo a change done by the malware/grayware/spyware to a registry value.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    • From: AppInit_DLLs = %System%\{random}32.dll
      To: AppInit_DLLs =

To restore the registry value this malware/grayware/spyware modified:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Windows
  3. In the right panel, locate the registry value:
    AppInit_DLLs = %System%\{random}32.dll
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    AppInit_DLLs =
  5. Close Registry Editor.

Step 7
Search and delete these files This step allows you to search and delete nonmalicious component files dropped or downloaded by this malware/grayware/spyware. There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the 'More advanced options' option to include all hidden files and folders in the search result.
  • %User Profile%Application Data55274-640-2237007-23525964C.manifest
  • %User Profile%Application Data55274-640-2237007-23525964O.manifest
  • %User Profile%Application Data55274-640-2237007-23525964P.manifest
  • %User Profile%Application Data55274-640-2237007-23525964S.manifest

  • To delete malware/grayware/spyware component files:

    1. Search for the following files:
      • %User Profile%Application Data55274-640-2237007-23525964C.manifest
      • %User Profile%Application Data55274-640-2237007-23525964O.manifest
      • %User Profile%Application Data55274-640-2237007-23525964P.manifest
      • %User Profile%Application Data55274-640-2237007-23525964S.manifest

      Note: To do a search for the following files, right-click Start then click Search... or Find..., depending on the version of Windows you are running. For each file to be deleted, type its file name in the Named input box. In the Look In drop-down list, select My Computer, then press Enter.
    2. Once located, select the file then press SHIFT+DELETE to permanently delete the file.
    3. Repeat the said steps for all files listed.

    Step 8
    Search and delete this folder This step allows you to search and delete the folder created by this malware/grayware/spyware. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. %User Profile%Application DataSystemProc

    To delete the malware/grayware/spyware folder:

    1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    2. In the Named input box, type:
        %User Profile%Application DataSystemProc
    3. In the Look In drop-down list, select My Computer, then press Enter.
    4. Once located, select the folder then press SHIFT+DELETE to permanently delete the folder.

    Step 9
    Scan your computer with your Trend Micro product to delete files detected as TROJ_TRACUR.SMDI If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

    Did this description help? Tell us how we did.

    Connect with us on