Trojan:WinNT/Alureon.D is detection for an obfuscated kernel-mode root kit component of the Win32/Alureon family. Win32/Alureon is a family of data-stealing trojans that allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords and credit card data.
Trojan:WinNT/Alureon.D may be installed by other malware. When run, Trojan:WinNT/Alureon.D hooks the SSDT (System Service Descriptor Table) and system APIs. This trojan may be present by such filenames as the following:
%systemroot%\system32\drivers\TDSS<random 4 letters>.sys
The registry is modified to execute the trojan as a service at Windows start.
Adds value: "start"
With data: "1"
Adds value: "type"
With data: "1"
Adds data: "imagepath"
With data: "%RystemRoot%\system32\drivers\uacd.sys"
To created subkey: HKLM\System\Current\UACD.sys
WinNT/Alureon.D drops a trojan component as the following:
%SystemRoot%\system32\UACc.dll - detected as Trojan:Win32Alureon.gen!S
The dropped trojan component is then injected into the Web browser Internet Explorer process "iexplore.exe".
Performs rootkit stealth protection
The trojan intercepts file system requests to hide and prevent access to files containing the string "*\UAC*" in the file name. The trojan also blocks access of related registry keys except to processes listed within the registry subkey "HKLM\Software\UAC\trusted".
WinNT/Alureon.D terminates processes found in the subkey "HKLM\Software\UAC\disallowed".
Disables antivirus scanners
The trojan intercepts filter-driver requests of antivirus scanners by continuously removing the filter manager attached device.
Analysis by Dan Kurc & Vincent Tiu