Follow:

You have been re-routed to the Trojan:Win32/Alureon.EC write up because Trojan%3aWin32%2fAlureon.EC has been renamed to Trojan:Win32/Alureon.EC
 

Trojan:Win32/Alureon.EC


Trojan:Win32/Alureon.EC is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Restoring Corrupted Files
In some instances, Alureon may modify certain driver files such that they become corrupted and unusable. These corrupted files that will NOT be restored by detecting and removing this threat. In order to restore functionality to the computer, the corrupted file must be restored from backup. Users are advised to boot into a recovery environment and manually replace the file with a clean copy.
Restoring DNS Settings
The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
 
Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
  • If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see http://support.microsoft.com/kb/305553
  • If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:
    %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak

Threat behavior

Trojan:Win32/Alureon.EC is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Installation
In the wild, we have observed Trojan:Win32/Alureon.EC being installed by other components of the Win32/Alureon family, and a number of rogue families. 
 
Upon execution, the trojan drops itself as a .dll to the following location: 
 
<system folder>\spool\prtprocs\w32x86\<random name>.dll
 
Trojan:Win32/Alureon.EC loads the DLL by adding it to the computer's print processor provider. It then calls the Printing Subsystem hosted by the spoolsv.exe process, and forces spoolsv.exe to load the malicious DLL remotely.
 
The trojan will then move itself to the %TEMP% folder with random name:
 
%TEMP%\<random name>
 
The malware will delay deleting itself until next reboot, in order to prevent anti-virus software from detecting it easily; it does this by making the following registry modifications:
 
In subkey: \Registry\Machine\System\CurrentControlSet\Control\Session Manager
Sets value: "PendingFileRenameOperations"
With data: "<system folder>\spool\prtprocs\w32x86\random name.dll"
 
Trojan:Win32/Alureon.EC drops the driver component to %TEMP% folder:
 
%TEMP%\<random name>.sys - detected as Trojan:WinNT/Alureon.H
 
 
Trojan:Win32/Alureon.EC then drops two other components to its own file system:
 
  • tdlcmd.dll
  • config.ini
Payload
Modifies DNS settings
Trojan:Win32/Alureon.EC modifies the DHCP registry to point to a malicious DHCP server:
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6D27B2D4-5401-454C-A38E-BFB25BE2736A}
Sets value: "DhcpNameServer"
With data: "93.188.163.181,93.188.166.181"
 
In subkey: "DhcpNameServer"
Sets value: "93.188.163.181,93.188.166.181"
With data: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
 
Contacts remote host
The trojan attempts to divert the affected user's attention by redirecting a web browser to www.microsoft.com, while it collects information from the affected computer and sends this information to the following domains:
 
  • topeate.com/kx.php
  • dynvolume.com
 
Analysis by Tim Liu

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:

    <system folder>\spool\prtprocs\w32x86\<random name>.dll
    tdlcmd.dll
  • config.ini
  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6D27B2D4-5401-454C-A38E-BFB25BE2736A}
  • Sets value: "DhcpNameServer"
    With data: "93.188.163.181,93.188.166.181"

    In subkey: "DhcpNameServer"
    Sets value: "93.188.163.181,93.188.166.181"
    With data: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

    In subkey: \Registry\Machine\System\CurrentControlSet\Control\Session Manager
    Sets value: "PendingFileRenameOperations"
    With data: "<system folder>\spool\prtprocs\w32x86\random name.dll"

Prevention


Alert level: Severe
First detected by definition: 1.89.639.0
Latest detected by definition: 1.179.1903.0 and higher
First detected on: Aug 30, 2010
This entry was first published on: Sep 23, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Backdoor.Win32.TDSS.ahg (Kaspersky)
  • Backdoor.TDSS.YYV (VirusBuster)
  • BackDoor.Generic13.BPJ (AVG)
  • BDS/TDSS.ahf (Avira)
  • Trojan.TDSS.AGQ (BitDefender)
  • BackDoor.Siggen.26107 (Dr.Web)
  • Win32/Olmarik.ADF (ESET)
  • Backdoor.Win32.TDSS (Ikarus)
  • Generic.dx!tty (McAfee)
  • Mal/TDSSPack-AF (Sophos)
  • Packed.Win32.Tdss.ad (Sunbelt Software)
  • TROJ_TDSS.SMET (Trend Micro)