Installation and payload
Changes DNS server settings
Win32/Alureon contains different malicious components. The following are three examples of these components:
One component specifies the DNS servers used by your PC. To do so, this component sets DNS server addresses for each network adapter on your PC by changing values in certain registry subkeys associated with the adapters.
For example, the component might change these registry values:
In subkey: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
In subkeys of the key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
This component can also set the following fields to specific DNS servers in the stored dial-up configuration data:
It resets these fields if your PC already has data in these fields. The dial-up configuration file is located in:
To let these new DNS settings immediate effect, Alureon runs the following commands:
A second Alureon component does the following:
- Create a randomly named copy of itself in the <system folder>
- Inject threads into local processes to delete itself and do other tasks
- Create registry entries under the key HKCR
- Create registry subkeys such as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
A third Alureon component does the following:
Some variants of Alureon can infect the miniport driver associated with the hard disk of the operating system, causing the driver file to become corrupted and unusable. For the most common PC configuration (PCs using ATA hard disk drives) the ATA miniport driver atapi.sys is the target driver file. However, other files can also be targeted.
The most commonly-targeted driver files are:
Disables proxy settings
Some Alureon components can disable or clear existing Internet Explorer proxy settings.