Trojan:Win32/Alureon.gen!AB is the generic detection for a member of the Win32/Alureon family. It drops another malware, tries to delete the Hosts file, and tries to create a virtual file system (VFS). It may also connect to certain servers.
Trojan:Win32/Alureon.gen!AB drops a copy of itself as a DLL file with the following file name:
Drops other malware
Trojan:Win32/Alureon.gen!AB attempts to install its copy as a local print provider named "sdk" and manually start it using the "spooler" service. It then deletes its originally running copy.
It also drops a driver file to the disk with the following file name:
Trojan:Win32/Alureon.gen!AB adds the following registry entries to ensure that its dropped driver file automatically runs when Windows starts:
In subkey: HKLM\System\CurrentControlSet\Services\<random string>
Sets value: "Imagepath"
With data: "\??\%windir%\temp\<random string>.tmp"
Sets value: "Type"
With data: "1"
Deletes the Hosts file
Trojan:Win32/Alureon.gen!AB attempts to delete the Windows Hosts file.
Creates a virtual file system (VFS)
Trojan:Win32/Alureon.gen!AB attempts to create a virtual file system (VFS), in which it adds the following files:
It also attempts to write the following information to the "config.ini" or "cfg.ini" files inside the created VFS:
Connects to servers
Trojan:Win32/Alureon.gen!AB attempts to connect to several servers. Some of the servers it tries to connect to are the following:
Gathers information about the computer
On a 64-bit computer running Windows, Trojan:Win32/Alureon.gen!AB may attempts to gather the following information:
- Windows version and build
- Current date and time
It then sends the gathered information to any of the following servers:
Analysis by Jonathan San Jose