Follow:

 

Trojan:WinNT/Alureon.H


Trojan:WinNT/Alureon.H is detection for kernel-mode driver component of members of the Win32/Alureon family. The component functions as a rootkit to hide it and other components of the Win32/Alureon trojan family.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:WinNT/Alureon.H is detection for kernel-mode driver component of members of the Win32/Alureon family. The component functions as a rootkit to hide it and other components of the Win32/Alureon trojan family.
Installation
WinNT/Alureon.H may be installed by other components of the Win32/Alureon family and may be present as a randomly named file in the temporary files folder as in the following example:
 
%TEMP%\ahklw.tmp
 
The trojan stores its main body and other component files near the end of the local drive and encrypts the stored data.
Payload
Infects a Windows driver
WinNT/Alureon.H randomly selects an installed Windows driver file to infect, selecting among files such as "pci.sys", "win32k.sys", "dmload.sys", "IntelIde.sys" and others. The modified driver is detected as Virus:Win32/Alureon.H. Once a selected driver is successfully infected, it will load the Alureon main components physically stored in an encrypted part of the last sector of the local hard drive.
 
Hides Win32/Alureon components
The trojan reads configuration data stored in a file "config.ini" to determine which process the trojan will select to inject code, such as "svchost.exe". The trojan injects a DLL component "tdlcmd.dll" into the running process. WinNT/Alureon.H attempts to hide the presence of components of Win32/Alureon.
 
Trojan:WinNT/Alureon.H will also return misleading results when certain security software attempts to access the infected driver or it's protected file system.
 
Analysis by Tim Liu

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.69.1105.0
Latest detected by definition: 1.177.1714.0 and higher
First detected on: Nov 18, 2009
This entry was first published on: Sep 22, 2010
This entry was updated on: Sep 24, 2010

This threat is also detected as:
No known aliases