Follow:

 

Virus:Win32/Alureon.J


Virus:Win32/Alureon.J is a detection for system drivers infected by members of the Win32/Alureon family.
 
Win32/Alureon is a multi-component family of trojans involved in a broad range of subversive activities online in order to generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
 
  • Modifying affected user's search results (search hijacking)
  • Redirecting affected user's browsing to sites of the attacker's choice (browser hijacking)
  • Changing Domain Name System (DNS) settings in order to redirect users to sites of the attacker's choice without the affected user's knowledge
  • Downloading and executing arbitrary files, including additional components and other malware
  • Serving illegitimate advertising
  • Installing Rogue security software
  • Clicking banners
 
Win32/Alureon also utilizes advanced stealth techniques in order to hinder the detection and removal of its various components.
 
Some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.


What to do now

The Win32/Alureon trojan may enable an attacker to transmit malicious data to the infected computer. Recovering from this situation may require measures beyond removing the trojan itself from the computer.
 
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Restoring corrupted files
In some instances, Alureon may modify certain driver files such that they become corrupted and unusable. These corrupted files that will NOT be restored by detecting and removing this threat. In order to restore functionality to the computer, the corrupted file must be restored from backup. Users are advised to boot into a recovery environment and manually replace the file with a clean copy.
Restoring DNS settings
The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
 
Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
  • If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see http://support.microsoft.com/kb/305553
  • If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:
    %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak

Threat behavior

Virus:Win32/Alureon.J is a detection for system drivers infected by members of the Win32/Alureon family.
 
Win32/Alureon is a multi-component family of trojans involved in a broad range of subversive activities online in order to generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
 
  • Modifying affected user's search results (search hijacking)
  • Redirecting affected user's browsing to sites of the attacker's choice (browser hijacking)
  • Changing Domain Name System (DNS) settings in order to redirect users to sites of the attacker's choice without the affected user's knowledge
  • Downloading and executing arbitrary files, including additional components and other malware
  • Serving illegitimate advertising
  • Installing Rogue security software
  • Clicking banners
 
Win32/Alureon also utilizes advanced stealth techniques in order to hinder the detection and removal of its various components.
 
As some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.
Installation
Virus:Win32/Alureon.J is the detection for "volsnap.sys", a system driver that has been infected by members of the Win32/Alureon family.
Payload
Uses advanced stealth
This added code is responsible for loading the rest of the rootkit (installed by another Alureon component) stored in arbitrary sectors in the hard drive. The rootkit is used to hide Alureon file components as well as to hide the infection of the infected driver.
 
Analysis by Scott Molenkamp

Symptoms

There are no obvious symptoms that indicate the presence of this malware on an affected machine.

Prevention


Alert level: Severe
First detected by definition: 1.99.835.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 08, 2011
This entry was first published on: Mar 09, 2011
This entry was updated on: Mar 09, 2011

This threat is also detected as:
  • Virus.Win32.TDSS.e (Kaspersky)
  • Trojan.Generic.5427294 (BitDefender)
  • Generic.dx!vpv (McAfee)