Trojan:WinNT/Alureon.H is detection for kernel-mode driver component of members of the Win32/Alureon family. The component functions as a rootkit to hide it and other components of the Win32/Alureon trojan family.
WinNT/Alureon.H may be installed by other components of the Win32/Alureon family and may be present as a randomly named file in the temporary files folder as in the following example:
The trojan stores its main body and other component files near the end of the local drive and encrypts the stored data.
Infects a Windows driver
WinNT/Alureon.H randomly selects an installed Windows driver file to infect, selecting among files such as "pci.sys
" and others. The modified driver is detected as Virus:Win32/Alureon.H
. Once a selected driver is successfully infected, it will load the Alureon main components physically stored in an encrypted part of the last sector of the local hard drive.
Hides Win32/Alureon components
The trojan reads configuration data stored in a file "config.ini" to determine which process the trojan will select to inject code, such as "svchost.exe". The trojan injects a DLL component "tdlcmd.dll" into the running process. WinNT/Alureon.H attempts to hide the presence of components of Win32/Alureon.
Trojan:WinNT/Alureon.H will also return misleading results when certain security software attempts to access the infected driver or it's protected file system.
Analysis by Tim Liu
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.