is a detection for system drivers infected by members of the Win32/Alureon
Win32/Alureon is a multi-component family of trojans involved in a broad range of subversive activities online in order to generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
modifying affected user's search results (search hijacking)
redirecting affected user's browsing to sites of the attacker's choice (browser hijacking)
changing DNS settings in order to redirect users to sites of the attacker's choice without the affected user's knowledge
downloading and executing arbitrary files, including additional components and other malware
serving illegitimate advertising
installing Rogue security software
Win32/Alureon also utilizes advanced stealth techniques in order to hinder the detection and removal of its various components.
As some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.
is the detection for a system driver that has been infected by members of the Win32/Alureon
family. When the infecting trojan is run, it infects a system driver. Commonly the targeted file is "atapi.sys
" usually found in the following location:
Uses advanced stealth
This added code is responsible for loading the rest of the rootkit (installed by another Alureon component) stored in arbitrary sectors in the hard drive. The rootkit is used to hide Alureon file components as well as to hide the infection of the infected driver.
Analysis by Scott Molenkamp
There are no discernable symptoms that indicate the presence of this malware on an affected machine.