Follow:

You have been re-routed to the Trojan:Win32/Alureon write up because Trojan%3aWin32%2fAlureon has been renamed to Trojan:Win32/Alureon
 

Trojan:Win32/Alureon


Microsoft security software detects and removes this threat. 

This threat is a dropper component of the Win32/Alureon family of trojans. It installs a driver, which is detected as Trojan:WinNT/Alureon.L, and connects to a server to send information about your PC to a malicious hacker.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Alureon copies itself in the Windows Temporary Files folder using a file name with the following format:

It converts this copy into a DLL file with another name that also follows the format discussed previously.

Trojan:Win32/Alureon then attempts to install its copy as a print provider. If this fails, it attempts to manually restart the "spooler" service.

Payload

Installs other malware

Trojan:Win32/Alureon drops a file with a name that follows the format discussed in the previous section. This dropped file is detected as Trojan:WinNT/Alureon.L.

It registers its dropped file as a system service with a random file name so that it automatically runs every time Windows starts, for example:

  • HKLM\Registry\Machine\System\CurrentControlSet\Services\311bdcb8\

Connects to a remote server

Trojan:Win32/Alureon connects to a remote address, such as "95.143.193.138", to send information about the affected PC. The sent information is encoded when sent.

Analysis by Andrei Florin Saygo


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.179.633.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 17, 2007
This entry was updated on: May 14, 2014

This threat is also detected as:
  • Win-Trojan/Tdss.174080.BM (AhnLab)
  • Trojan.Win32.Alureon (Ikarus)
  • Mal/Rorpian-C (Sophos)
  • Gen:Variant.Kazy.34946 (BitDefender)
  • BackDoor.Tdss.5070 (Dr.Web)
  • Trojan.Win32.Menti.hvdp (Kaspersky)
  • Backdoor.Tidserv (Symantec)