Follow:

You have been re-routed to the Trojan:Win32/Alureon.GQ write up because Trojan%3aWin32%2fAlureon.GQ has been renamed to Trojan:Win32/Alureon.GQ
 

Trojan:Win32/Alureon.GQ


Microsoft security software detects and removes this threat.

Trojan:Win32/Alureon.GQ is a member of the Win32/Alureon family of malware - a family of data-stealing malware. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information from your computer, such as user names, passwords, and credit card data.

The trojan is also used to generate traffic to specific URLs.

Win32/Alureon can also allow an attacker to transmit malicious data to your computer. It might modify DNS settings on your computer to enable the attacker to perform these tasks.

The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When you attempt to visit a particular URL, a browser uses DNS servers to find the correct IP address of the requested domain. When you are directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing you to possibly bogus or malicious sites without your knowledge.

You might need to reconfigure DNS settings after the trojan is removed from your computer. See the "What to do now" section below for advice on how to do this.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Alureon.GQ is a member of the Win32/Alureon family of malware - a family of data-stealing malware. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information from your computer, such as user names, passwords, and credit card data.

Installation

When it runs, Trojan:Win32/Alureon.GQ drops its payload component as:

%TEMP%\<seven random letters>\<seven random letters>\wow.dll - for example, %TEMP%\sxvnfyx\sxnqsit\wow.dll

It also drops a configuration file as wow.ini in the location it creates for the payload component outlined above, for example: c:\documents and settings\administrator\local settings\temp\sxvnfyx\sxnqsit\wow.ini

This configuration file contains the following information:

  • The version of the malware
  • A list of remote servers to contact

Trojan:Win32/Alureon.GQ replaces your computer component “ShellFolder for CD Burning” with its payload by modifying following registry value to ensure that the malware will run each time you log on to your computer:

In subkey: HKCU\software\classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\inprocserver32
Sets value: “(default)”
With data: %TEMP%\<seven random letters>\<seven random letters>\wow.dll - for example, %TEMP%\sxvnfyx\sxnqsit\wow.dll

The trojan tries to encrypt the folder and sub-files where the payload and configuration locate by using the "Encrypting File System" feature; it might do this hinder removal from your computer.

Trojan:Win32/Alureon.GQ also tries to modify the permissions of the folder %TEMP%\<seven random letters> to block access to that folder.

Payload

Contacts remote hosts

Trojan:Win32/Alureon.GQ attempts to contact remote hosts; in the wild, we've observed it contacting the following:

  • 188.165.232.20
  • ofagen.com
  • rakeon.com

In the wild, we've observed the trojan contacting these servers for the following purposes:

  • To update the remote server addresses
  • To update itself

Analysis by Shawn Wang


Symptoms

System changes
The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    %TEMP%\<seven random letters>\<seven random letters>\wow.dll
    %TEMP%\<seven random letters>\<seven random letters>\wow.ini

  • The presence of the following registry modification:

    In subkey: HKCU\software\classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\inprocserver32
    Sets value: “(default)”
    With data: %TEMP%\<seven random letters>\<seven random letters>\wow.dll - for example, %TEMP%\sxvnfyx\sxnqsit\wow.dll


 

Prevention


Alert level: Severe
First detected by definition: 1.149.1375.0
Latest detected by definition: 1.187.44.0 and higher
First detected on: May 07, 2013
This entry was first published on: Jun 04, 2013
This entry was updated on: Aug 15, 2013

This threat is also detected as:
  • Trojan.Win32.Crypt.cqt (Kaspersky)