Follow:

 

Trojan:DOS/Alureon.C


Trojan:DOS/Alureon.C is the detection name for infected Master Boot Records (MBR) produced by certain variants of the Win32/Alureon rootkit family. The rootkit infects 32-bit and 64-bit systems.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:DOS/Alureon.C is the detection name for infected Master Boot Records (MBR) produced by certain variants of the Win32/Alureon rootkit family. The rootkit infects 32-bit and 64-bit systems.

Installation

Infected Master Boot Records detected as Trojan:DOS/Alureon.C are usually created by Trojan:Win32/Alureon.FE.

Payload

Installs other malware components

Trojan:DOS/Alureon.C attempts to access the hidden rootkit file system (VFS) to locate the file 'boot' in the VFS root folder. It then loads 'boot' and transfers control to it.

The file 'boot' prevents Windows from checking digital signatures for drivers, installs itself as a handler for HDD read/write requests, and loads the original Windows MBR, which is stored as 'mbr' in the root VFS folder. It then transfers control to the original MBR.

Each time Windows reads from the hard drive, the file 'boot' intercepts data and monitors if the system debugger component 'KDCOM.DLL' is loaded into memory. If so, 'boot' injects another rootkit component from the VFS root folder named either 'dbg32' or 'dbg64', depending on the computer's architecture, thus forcing Windows to load it instead of the legitimate 'KDCOM.DLL' file.

The loaded rootkit component loads the main rootkit driver, which is responsible for hiding the Alureon rootkit components.

Additional information

More information on the Win32/Alureon rootkit family can be found in this page.

Analysis by Sergey Chernyshev


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.107.1598.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jul 12, 2011
This entry was first published on: Jul 12, 2011
This entry was updated on: Nov 02, 2011

This threat is also detected as:
  • Alureon.A (Command)
  • MBR/Alureon.A (Norman)
  • Boot.Sst.D (VirusBuster)
  • Rootkit.MBR.Sst.A (Boot image) (BitDefender)
  • BackDoor.Tdss.5544 (Dr.Web)
  • Rootkit.Boot.Sst.a (Kaspersky)
  • TDSS!mbr (McAfee)
  • Troj/TdlMbr-D (Sophos)
  • Hacktool.Rootkit (Symantec)
  • TDSSMBR.DE (Trend Micro)