Trojan:Win32/Alureon.gen!R is the generic detection for a DLL component of trojan that modifies DNS settings on the infected computer, enabling an attacker to perform malicious tasks. These may include intercepting Internet traffic and thus capturing confidential information such as user names, passwords, and other sensitive data.
For more information on this family of trojans please check the
Win32/Alureon description in the encyclopedia.
System Changes
The following system changes may indicate the presence of this malware:
Trojan:Win32/Alureon.gen!R is the generic detection for a DLL component of trojan that modifies DNS settings on the infected computer to enable an attacker to perform malicious tasks. These may include intercepting Internet traffic and thus capturing confidential information such as user names, passwords, and other sensitive data.
For more information on this family of trojans please check the
Win32/Alureon description in the encyclopedia.
Installation
Trojan:Win32/Alureon.gen!R is a generic detection for a DLL component that is installed by another Alureon malware, usually detected as
Trojan:Win32/Alureon.gen!J.
It is usually injected into a system process. It checks if the process to which it is injected is any of the following, and exits if this is the case:
- lsass.exe
- opera.exe
- services.exe
- winlogon.exe
If the process to which it is injected is svchost.exe, it creates the mutex, for example SkGLGh58VhjfE9.
It may also create the following files as part of its installation routine:
- <system folder>\tdssinit.dll
- <system folder>\tdssurls.log
- %TEMP%\tdsstempresp.tmp
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It creates the following subkey:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData\
Payload
Steals System Information
Trojan:Win32/Alureon.gen!R may intercept Internet traffic and steal confidential information such as user names, passwords, and other sensitive data. It then posts its gathered information to remote Web sites, such as the following:
backupservice1.net
domainspubs.com
findsproportal.com
findxproportal.com
findzproportal.com
microsoftransfer.com
stableclicks.com
stableclickz.com
updateguard.com
updatemic.com
updatemics.com
It gathers this information by injecting code into certain processes, such as the following, to monitor for specific keywords:
avp.exe
avgexfs.exe
notepad.exe
wordpad.exe
Redirects Traffic Searches
Trojan:Win32/Alureon.gen!R may redirect Internet traffic or searches to specific Web sites such as the following:
asiuoqgusdbaksd.com
asjkdsadsaodsag.com
clubgamecasino.com
compalusa.com
compalusax.com
complus1.com
defenderlab.com
jhdgfjerkidikdx.com
mnbnweyudssfg.com
wikiei.com
Downloads Files
Trojan:Win32/Alureon.gen!R may download files, which may be detected as other malware, from specific IP addresses. For example, one particular sample is known to download a file as <system folder>\windows_update.exe from the IP address 78.157.142.26.
Blocks Access to Certain Web Sites
Trojan:Win32/Alureon.gen!R blocks access to Web sites containing the following strings, which are mostly Web sites related to security and antivirus products:
247fixes.com
abuse.com
abuse.net
acens.net
agnitum.com
ahbl.org
andymanchesta.com
antiphishing.org
antispywareoffensief.nl
arcabit.com
armor2net.com
atribune.org
atwola.com
auditmypc.com
aumha.org
avast
avg.com
avira.com
avp.ch
avp.com
avp.ru
bdbrandprotect.com
besttechie.net
beyondlogic.org
bfccomputers.com
bitdefender
bl.csma.biz
bleepingcomputer.com
bluemedicine.be
boardreader.com
castlecops.com
cert.br
clean-mx.de
cogentco.com
comodo.com
corpwatch.org
cpsr.org
cyberlawenforcement.org
cybertechhelp.com
d-a-l.com
dellcommunity.com
diamondcs
download.microsoft.com
dr-web
drweb
dsbl.org
dslreports.com
edacdata3.unm.edu
enigmasoftwaregroup.com
eset
eset.com
estdomains.com
f-secure.com
firetrust.com
forospyware.com
forum.aumha.org
forums.techguy.org
forums.whatthetech.com
free-av.com
gdata.de
geekstogo.com
gladiator-antivirus.com
gmer.net
grc.com
grisoft.com
grisoft.cz
hijackthis-forum.de
hijackthis.nl
hosting.ua
hosts-file.net
hot-p0rntube.com
hqhost.net
ibforums.com
incodesolutions.com
internetworldstats.com
javacoolsoftware.com
joewein.de
kaspersky-labs.com
kaspersky.com
kaspersky.ru
kasperskylabs.com
kerio.com
ktroy.fi
lavasoft
lavasoft.com
lavasoftsupport.com
lavasoftusa
layeredtech.com
linhadefensiva.org
maddoktor2.com
majorgeeks.com
malekal.com
malwarebyte
malwaredomainlist.comficora.fi
malwarehelp.org
malwareremoval.com
mbam.securitywonks.net
mcafee.com
moosoft.com
msdn.microsoft.com
my-etrust.com
narod.ru
networkassociates.com
newbie.org
noadware.net
nod32
norton.com
pandasoftware
pandasoftware.com
pcflank.com
pchell.com
pcmasters.deforum
pcpitstop.com
pctools.com
peb.pl
phx.corporate-ir.net
popunder
prevx.com
regnow.com
rsa.com
safebrowsing.clients.google.com
safer-networking.de
safer-networking.org
scambusters.org
scanner-center.com
sdsc.edu
security-forums.com
security.kolla.de
securitycadets.com
secuser.model-fx
sophos.com
spamcop.net
spamhaus.org
spybot.info
spybot.safer-networking.de
spywarefri.dk
spywareinfo.com
spywareinfoforum.com
spywarewarrior.com
sspbl.tripod.com
static.cache.l.google.com
stompsoft.com
suggestafix.com
sunbeltsoftware.com
superantispyware.com
support.microsoft.com
sygate.com
symantec.com
symantecliveupdate
symantecliveupdate.com
techguy.org
techsupportforum.com
techweb.com
temerc.com
thatcomputerguy.us
thespykiller.co.uk
tinysoftware.com
trendmicro.com
trendsecure.com
update.microsoft.com
update.symantec.com
upgrade.bitdefender.com
usdoj.gov
viruslist
virusscan
virustorjunta.net
virustotal
webuser.co.uk
whatthetech.com
windowsupdate.com
windowsupdate.microsoft.com
winpatrol.com
x.akamai.net
yandex-team.ru
zango.com
zonealarm.com
zonelabs
zonelabs.com
Analysis by Patrik Vicol
Restoring Corrupted Files
In some instances, Alureon may modify certain driver files such that they become corrupted and unusable. These corrupted files that will NOT be restored by detecting and removing this threat. In order to restore functionality to the computer, the corrupted file must be restored from backup. Users are advised to boot into a recovery environment and manually replace the file with a clean copy.
Restoring DNS Settings
The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
-
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see
http://support.microsoft.com/kb/305553
-
If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:
%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak
