Follow:

You have been re-routed to the Trojan:Win32/Alureon.DX write up because Trojan%3aWin32%2fAlureon.DX has been renamed to Trojan:Win32/Alureon.DX
 

Trojan:Win32/Alureon.DX


Trojan:Win32/Alureon.DX is a rootkit that differs in behavior depending on whether the operating system is 32-bits or 64-bits.
 
Trojan:Win32/Alureon.DX is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Alureon.DX is a rootkit that differs in behavior depending on whether the operating system is 32-bits or 64-bits.
 
Trojan:Win32/Alureon.DX is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
 
On a 32-bit-based operating system:
 
Trojan:Win32/Alureon.DX copies itself to the %Temp% directory \\?\globalroot\Device\HarddiskVolume1\directory\sourcefile.exe, as, for example %temp%\tmpfile1.tmp .
 
It then converts its copy into a DLL file, for example, %temp%\tmpfile1.tmp is converted to %temp%\tmpfile2.tmp .
 
It attempts to install the DLL file as a print provider.
 
Trojan:Win32/Alureon.DX may attempt to manually start the "spooler" service. If it fails, it tries a second time.
 
The DLL file drops a driver to the disk, for example %temp%\tmpfile3.tmp. The dropped driver is detected as Trojan:WinNT/Alureon.L.
 
Trojan:Win32/Alureon.DX makes the following registry modifications for the dropped driver, before attempting to load the driver:
 
Adds value: "Imagepath"
With data: "\??\%temp%\<driver file name>.tmp"
In subkey: HKLM\ System\CurrentControlSet\Services\<service name>
 
Adds value: "Type"
With data: "1"
In subkey: HKLM\ System\CurrentControlSet\Services\<service name>
 
Where <service name> is a string of randomly generated characters.
 
These modifications are then deleted.
 
Trojan:Win32/Alureon.DX generates a unique GUID by retrieving data from the following registry key value:
 
  • \registry\machine\software\microsoft\cryptography\machineguid
 
Trojan:Win32/Alureon.DX copies the following files to an encrypted virtual file system (VFS):
 
  • bckfg.tmp
  • cfg.ini
  • cmd.dll
  • cmd64.dll
  • drv32
  • drv64
  • ldr16
  • ldr32
  • ldr64
 
The dropped driver is responsible for loading these files from the encrypted VFS. It is also responsible for modifying the Master Boot Record (MBR). The modified MBR is detected as Trojan:DOS/Alureon.A
 
On a 64-bit-based operating system:
 
Trojan:Win32/Alureon.DX writes directly into the encrypted virtual file system (VFS). It also attempts to directly modify the Master Boot Record (MBR). After attempting these modifications, it attempts to force a reboot of the computer.
Additional information
Contacts remote servers
 
Trojan:Win32/Alureon.DX attempts to contact the following servers:
 
  • 34jh7alm94.asia
  • 61.61.20.132
  • 61.61.20.135
  • 68b6b6b6.com
  • 91jjak4555j.com
  • a74232357.cn
  • a76956922.cn
  • cri71ki813ck.com
  • lk01ha71gg1.cc
  • nyewrika.in
  • rukkieanno.in
  • zl091kha644.com
 
Analysis by Scott Molenkamp

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.87.1229.0
Latest detected by definition: 1.179.2167.0 and higher
First detected on: Aug 04, 2010
This entry was first published on: Aug 27, 2010
This entry was updated on: Aug 30, 2010

This threat is also detected as:
  • Dropper.Agent.YXL (AVG)