Follow:

 

Trojan:WinNT/Alureon.D


Trojan:WinNT/Alureon.D is detection for an obfuscated kernel-mode root kit component of the Win32/Alureon family. Win32/Alureon is a family of data-stealing trojans that allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords and credit card data.


What to do now

The Win32/Alureon trojan may enable an attacker to transmit malicious data to the infected computer. Recovering from this situation may require measures beyond removing the trojan itself from the computer. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Restoring Corrupted Files
In some instances, Alureon may modify certain driver files such that they become corrupted and unusable. These corrupted files that will NOT be restored by detecting and removing this threat. In order to restore functionality to the computer, the corrupted file must be restored from backup. Users are advised to boot into a recovery environment and manually replace the file with a clean copy.
Restoring DNS Settings
The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
 
Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
  • If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see http://support.microsoft.com/kb/305553
  • If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:
    %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak

Threat behavior

Trojan:WinNT/Alureon.D is detection for an obfuscated kernel-mode root kit component of the Win32/Alureon family. Win32/Alureon is a family of data-stealing trojans that allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords and credit card data.
Installation
Trojan:WinNT/Alureon.D may be installed by other malware. When run, Trojan:WinNT/Alureon.D hooks the SSDT (System Service Descriptor Table) and system APIs. This trojan may be present by such filenames as the following:
 
%systemroot%\system32\drivers\UACD.sys
%systemroot%\system32\drivers\UAC<random letters>.sys
%systemroot%\system32\drivers\TDSS.sys
%systemroot%\system32\drivers\TDSSserv.sys
%systemroot%\system32\drivers\TDSS<random 4 letters>.sys
 
The registry is modified to execute the trojan as a service at Windows start.
 
Adds value: "start"
With data: "1"
Adds value: "type"
With data: "1"
Adds data: "imagepath"
With data: "%RystemRoot%\system32\drivers\uacd.sys"
To created subkey: HKLM\System\Current\UACD.sys
 
WinNT/Alureon.D drops a trojan component as the following:
 
%SystemRoot%\system32\UACc.dll - detected as Trojan:Win32Alureon.gen!S
 
The dropped trojan component is then injected into the Web browser Internet Explorer process "iexplore.exe".
Payload
Performs rootkit stealth protection
The trojan intercepts file system requests to hide and prevent access to files containing the string "*\UAC*" in the file name. The trojan also blocks access of related registry keys except to processes listed within the registry subkey "HKLM\Software\UAC\trusted".
 
Terminates processes
WinNT/Alureon.D terminates processes found in the subkey "HKLM\Software\UAC\disallowed".
 
Disables antivirus scanners
The trojan intercepts filter-driver requests of antivirus scanners by continuously removing the filter manager attached device.
Additional Information
For more information about Win32/Alureon and WinNT/Alureon, see our descriptions elsewhere in the encyclopedia.
 
Analysis by Dan Kurc & Vincent Tiu

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.49.681.0
Latest detected by definition: 1.203.1472.0 and higher
First detected on: Dec 18, 2008
This entry was first published on: Apr 06, 2009
This entry was updated on: Apr 17, 2010

This threat is also detected as:
  • W32/Tibs.gen240 (Norman)
  • Troj/Rootkit-ED (Sophos)
  • Backdoor.Tidserv (Symantec)
  • Trojan:Win32/Tibs.HS (other)