Follow:

You have been re-routed to the Trojan:Win32/Alureon.FE write up because Trojan%3aWin32%2fAlureon.FE has been renamed to Trojan:Win32/Alureon.FE
 

Trojan:Win32/Alureon.FE


Trojan:Win32/Alureon.FE is a trojan that installs other variants of Win32/Alureon, a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. It may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after disinfection. Trojan:Win32/Alureon.FE also modifies the MBR to execute installed Alureon components.



What to do now

The Win32/Alureon trojan may enable an attacker to transmit malicious data to the infected computer. Recovering from this situation may require measures beyond removing the trojan itself from the computer.
 
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Additional recovery instructions
This threat uses stealth, and you may need to boot to a trusted environment in order to remove it. The threat may also make changes to your computer that makes it difficult for you to download, install or update your virus protection, whether you have a complete antivirus such as Microsoft Security Essentials installed on your computer or not.

If you suspect your computer has been compromised, we recommend using the Windows Defender Offline to detect and remove this threat.

Using Windows Defender Offline

The way Windows Defender Offline works, is by allowing you to:

  • Download a copy of the tool from a computer that has access to the internet
  • Save a copy of the recovery tool to a removable drive, in order to create bootable media
  • Run the recovery tool on a compromised computer

You might want to use Windows Defender Offline when:

  • You need to scan your computer to check for rootkits and other malware
  • You are infected with malware that prevents you from downloading and installing an antivirus or the latest updates for your antivirus software
  • Your antivirus does not detect or remove advanced malware, such as a rootkit

Note: Windows Defender Offline is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start or otherwise effectively scan your infected computer due to a virus or other malware actively running on the computer and impeding the effective action of antimalware software. For no-cost, real-time protection that helps guard your home or small business computers against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

  1. Determine if you require the 32-bit or 64-bit download.

    See the Microsoft Help and Support article for instructions on how to determine whether a computer is running a 32-bit version or 64-bit architecture of the Windows operating system.
  2. Using a computer that can connect to the internet, download the version of the Windows Defender Offline that applies to the affected computer.

    If the affected computer is a:

    - 32-bit computer, then download the 32-bit version here.
    - 64-bit computer, then download the 64-bit version here.

    Note: In order for the recovery tool to be effective, make sure you download the version that matches the architecture of the affected computer. For example, if your 64-bit desktop is affected, you will need to download the 64-bit version of the Windows Defender Offline and save it to a removable drive.
  3. Save the downloaded file to a local drive on your computer.
  4. Launch the downloaded file, and create a bootable device by following the instructions on the wizard.

    Note: We recommend creating a bootable USB or CD; if you create a bootable USB, this can be updated for future use.
  5. From the affected computer, boot from the USB or CD you created in step 4.

    Note: You may need to set the boot order in the BIOS to do this. This will be device specific, so if you are unsure, refer to your system manual or manufacturer.
  6. Follow the prompts to run a full system scan.

    Depending on the outcome of the scan, your next steps will vary. Follow the prompts from Windows Defender Offline to manage any threat detections.

Steps you can take once your computer has been cleaned

  • Install security software, such as Microsoft Security Essentials, or other products that provide a complete, real-time antivirus solution.
  • Keep your antivirus up to date by making sure you have the latest definitions.
  • Use the Microsoft Safety Scanner if you suspect you are infected but are unable to confirm this with your existing antivirus solution.
Restoring Corrupted Files
In some instances, Alureon may modify certain driver files such that they become corrupted and unusable. These corrupted files that will NOT be restored by detecting and removing this threat. In order to restore functionality to the computer, the corrupted file must be restored from backup. Users are advised to boot into a recovery environment and manually replace the file with a clean copy.
Restoring DNS Settings
The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
 
Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the removal is complete:
  • If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see http://support.microsoft.com/kb/305553
  • If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as the trojan may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes the trojan backs up the infected dial-up configuration file to:
    %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak

Threat behavior

Trojan:Win32/Alureon.FE is a trojan that installs other variants of Win32/Alureon, a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. It may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after disinfection. Trojan:Win32/Alureon.FE also modifies the MBR to execute installed Alureon components.

Installation

Trojan:Win32/Alureon.FE is installed by other variants of Win32/Alureon and may be dropped as the following file:

  • %TEMP%\javaw.exe

When run, the trojan installs other components that are detected as variants of Win32/Alureon, including Trojan:Win32/Alureon.EN, Trojan:Win32/Alureon.EO and Trojan:Win32/Alureon.FE. Trojan:Win32/Alureon.FE modifies the MBR to execute the installed files. The modified MBR is detected as Trojan:DOS/Alureon.C

Payload

Communicates with a remote server
The payload component, which may be detected as Trojan:Win32/Alureon.EN, is injected into other processes. The malware communicates with a remote server to report its infection and retrieve commands.

Additional Information

For more information about Win32/Alureon, see the family description in the MMPC encyclopedia.

Analysis by Shawn Wang

 


Symptoms

Symptoms of a Win32/Alureon infection may vary according to the particular variant, for example:

  • The keyboard may be disabled as a result of an infection
  • Windows XP unexpectedly requests activation as infected drivers may simulate a significant hardware change

Prevention


Alert level: Severe
First detected by definition: 1.109.1419.0
Latest detected by definition: 1.183.527.0 and higher
First detected on: Aug 09, 2011
This entry was first published on: Aug 09, 2011
This entry was updated on: Aug 27, 2013

This threat is also detected as:
  • Trojan.Packed.2185 (Dr.Web)
  • DNSChanger.cq.a (McAfee)
  • Troj/FakeAV-EFZ (Sophos)