Microsoft security software detects this threat.

The threat is a member of the Alureon family of data-stealing trojans. These trojans can give a malicious hacker access to your PC to steal your confidential information, such as your user names, passwords, and credit card data.

See the Alureon and DOS/Alureon family descriptionfor more information.

What to do now

Use the following free Microsoft software to detect this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Trojan:DOS/Alureon.E is the detection name for infected Volume Boot Records (VBR) produced by certain variants of the Win32/Alureon rootkit family. The rootkit infects both 32-bit and 64-bit PCs and are usually created by Trojan:Win32/Alureon.FE.


Installs other malware components

This threat tries to access the hidden rootkit file system (VFS) to locate the file 'boot' in the VFS root folder. It then loads 'boot' and transfers control to it.

The file 'boot' prevents Windows from checking digital signatures for drivers, installs itself as a handler for hard disk read/write requests, and loads the original Windows VBR, and transfers control to it.

Each time Windows reads from the hard drive, the file 'boot' intercepts data and monitors if the kernel debugger component 'KDCOM.DLL' is loaded into memory. If so, 'boot' injects another rootkit component from the VFS root folder named either 'dbg32' or 'dbg64', depending on your PC's architecture, thus forcing Windows to load it instead of the legitimate 'KDCOM.DLL' file.

The loaded rootkit component loads the main rootkit driver, which is responsible for hiding the Alureon rootkit components.

The injected file may also prevent the Windows kernel from being debugged and may cause boot failures on PCs running 64-bitWindows XP and 64-bitWindows Server 2003.

Analysis by Sergey Chernyshev


The following could indicate that you have this threat on your PC:

  • Your PC doesn't start up properly, especially if you're running a 64-bit version of Windows XP or Windows Server 2003


Alert level: Severe
First detected by definition: 1.115.712.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 27, 2011
This entry was first published on: Oct 27, 2011
This entry was updated on: Dec 30, 2014

This threat is also detected as:
  • Rootkit.MBR.Sst.B (Boot image) (BitDefender)
  • Trojan.DOS.Alureon (Ikarus)
  • Troj/TdlMbr-D (Sophos)