July 2011 release of the Microsoft's Malicious Software Removal Tool (MSRT) targets two prevalent families: Win32/Tracur and Win32/Dursg. "Both families share common functionality that monitors user web search queries and redirects to a malicious URL to display advertisements or download more malware. It affects users of web browsers such as Internet Explorer, Firefox, Opera and Chrome," revealed MMPC.
"For instance, Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also drops Win32/Dursg to install malicious extensions for Firefox and Opera. User query results from search engines such as Google, Yahoo!, AOL, Ask and Bing will be redirected to a malicious site. To guarantee Win32/Tracur control, it modifies several registry entries," explains MMPC.
To disguise its presence, dropped files are named similarly to Windows DLLs (see pic). In the figure below, notice that new files such as audiosrv23.dll, dmime32.dll, and hnetmon32.exe do not usually exist in a clean system. Win32/Dursg on the other hand, installs Mozilla Firefox and Opera extensions as illustrated below to accomplish the same task.
Win32/Dursg has been seen to be distributed with other malwares and file infectors such as Sality, Virut, Polip, Alureon, and Tracur, to name just a few, further assisting in its wide distribution.
Microsoft releases an updated version of the Malicious Software Removal Tool (MSRT) on the second Tuesday of each month.