The Malicious Software Removal Tool (MSRT) targets two prevalent families in this July 2011 release, Win32/Tracur and Win32/Dursg. Both families share common functionality that monitors user web search queries and redirects to a malicious URL to display advertisements or download more malware. It affects users of web browsers such as Internet Explorer, Firefox, Opera and Chrome.
For instance, Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also drops Win32/Dursg to install malicious extensions for Firefox and Opera. User query results from search engines such as Google, Yahoo!, AOL, Ask and Bing will be redirected to a malicious site. To guarantee Win32/Tracur control, it modifies several registry entries. To disguise its presence, dropped files are named similarly to Windows DLLs:
Figure 1: Snapshot of the infected Windows system folder
In the above figure, notice that new files such as audiosrv23.dll, dmime32.dll, and hnetmon32.exe do not usually exist in a clean system. Win32/Dursg on the other hand, installs Mozilla Firefox and Opera extensions as illustrated below to accomplish the same task.
Figure 2: Malicious Firefox extension
Figure 3: Malicious Opera extension
Microsoft releases an updated version of the Malicious Software Removal Tool (MSRT) on the second Tuesday of each month, and as needed to respond to security incidents. The tool is available from our Malicious Software Removal Tool page, Microsoft Update, Windows Update and the Microsoft Download Center. Visit our Malicious Software Removal Tool page for more information about the tool or how to install it
-- Rodel Finones, MMPC