Follow:

You have been re-routed to the Trojan:Win32/Alureon.GC write up because Trojan%3aWin32%2fAlureon.GC has been renamed to Trojan:Win32/Alureon.GC
 

Trojan:Win32/Alureon.GC


Microsoft security software detects and removes this threat.
 
Trojan:Win32/Alureon.GC is a member of Win32/Alureon - a family of data-stealing trojans.


What to do now

 To detect and remove this threat and other malicious software that may have been installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:

The malware may steal your information by recording your usernames and passwords. After removal of the threat you should change your passwords. Please refer to the following advisory for tips on how to create and use passwords:

Threat behavior

Installation

Trojan:Win32/Alureon.GC copies itself to %ALLUSERPROFILE%\<random_file name>.exe.

It checks which version of Windows you are running and installs a specific version of itself.

Trojan:Win32/Alureon.GC creates the following registry entry to ensure that it runs each time you start your computer:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random_file name>"
With data: "%APPDATA%\<random_filename>.exe"

The trojan creates a mutex named "Global\<Machine_GUID><hardcoded_value><current_process_id>", to make detection more difficult. These values are uniquely identify your computer and will change from computer to computer. An example could be Global\{25892e17-80f6-415f-9c65-7395632f0223}gfdgfdgdfg4a4.

It attempts to inject its payload into the following files: 

  • Explorer.exe
  • Firefox.exe
  • Iexplore.exe
  • Mozilla.
Payload 

Downloads files

The trojan contacts a remote host specified in its configuration file.

We have seen it contact the following servers:

  • grek.uni.me/bablo/dropper/data.php
  • 151.248.114.105/<removed>/dropper/data.php
  • 188.225.36.240/k1/d6154765172/<removed>.php
  • 188.225.36.241/k1/d6154765172/<removed>.php
  • 188.225.36.242/k1/d6154765172/<removed>.php

The configuration file may include the following instructions:

  • Download and install files
  • Download and install modules
  • Update the trojan
  • Inject itself into processes using different methods
  • Send logs of its activity to a remote server
  • Write to a configuration file

The downloaded configuration file is stored in %ALLUSERPROFILE%\<random_letters>.cfg. The file is encrypted using a version of the RC4 encryption algorithm and the key is generated using you computer's GUID to make it difficult to decrypt.

Additional information

The trojan configuration file has the following format:

<marker>
srvurls=<url that may retrieve another configuration file>
srvdelay=<digits>
srvretry=<digits>
buildid=<identifier>
fpicptr=<API>

<modules>
softwaregrabber=<random_characters>
modkiller=<random_characters>
bot32=<random_characters>
bot64=<random_characters>

Analysis by Daniel Chipiristeanu and Jonathan San Jose


Symptoms

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random_filename>"
With data: "%APPDATA%\<random_filename>.exe"


Prevention


Alert level: Severe
First detected by definition: 1.145.1973.0
Latest detected by definition: 1.175.689.0 and higher
First detected on: Mar 16, 2013
This entry was first published on: Mar 25, 2013
This entry was updated on: Jul 24, 2013

This threat is also detected as:
  • PWS-Zbot.gen.apc (McAfee)
  • Mal/EncPk-ZC (Sophos)
  • Gen:Variant.Kazy.193870 (BitDefender)
  • Win32/Kryptik.BEJA (ESET)
  • TR/Alureon.GC.121 (Avira)
  • Trojan horse Crypt2.UOK (AVG)
  • Trojan.Crypt2 (Ikarus)
  • Trojan-Ransom.Win32.Blocker.brkn (Kaspersky)
  • W32/Blocker.BRKN!tr (other)