Follow:

 

Trojan:DOS/Alureon.E


Microsoft security software detects and removes this threat.

The threat is a member of the Alureon family of data-stealing trojans. These trojans allow a malicious hacker to get confidential information such as your user names, passwords, and credit card data.

For more information on the Alureon family, see the Alureon family description and the DOS/Alureon description.



What to do now

The following free Microsoft software detects and removes this threat:

To restore your PC, you might need to use Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you're using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:DOS/Alureon.E is the detection name for infected Volume Boot Records (VBR) produced by certain variants of the Win32/Alureon rootkit family. The rootkit infects both 32-bit and 64-bit PCs and are usually created by Trojan:Win32/Alureon.FE.

Payload

Installs other malware components


This threat tries to access the hidden rootkit file system (VFS) to locate the file 'boot' in the VFS root folder. It then loads 'boot' and transfers control to it.

The file 'boot' prevents Windows from checking digital signatures for drivers, installs itself as a handler for hard disk read/write requests, and loads the original Windows VBR, and transfers control to it.

Each time Windows reads from the hard drive, the file 'boot' intercepts data and monitors if the kernel debugger component 'KDCOM.DLL' is loaded into memory. If so, 'boot' injects another rootkit component from the VFS root folder named either 'dbg32' or 'dbg64', depending on your PC's architecture, thus forcing Windows to load it instead of the legitimate 'KDCOM.DLL' file.

The loaded rootkit component loads the main rootkit driver, which is responsible for hiding the Alureon rootkit components.

The injected file may also prevent the Windows kernel from being debugged and may cause boot failures on PCs running 64-bitWindows XP and 64-bitWindows Server 2003.

Analysis by Sergey Chernyshev


Symptoms

The following could indicate that you have this threat on your PC:

  • Your PC doesn't start up properly, especially if you're running a 64-bit version of Windows XP or Windows Server 2003

Prevention


Alert level: Severe
First detected by definition: 1.115.712.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 27, 2011
This entry was first published on: Oct 27, 2011
This entry was updated on: Apr 24, 2014

This threat is also detected as:
  • Rootkit.MBR.Sst.B (Boot image) (BitDefender)
  • Trojan.DOS.Alureon (Ikarus)
  • Troj/TdlMbr-D (Sophos)