Trojan:Win32/Alureon.gen!AB

(?)

Encyclopedia entry
Updated: Jun 08, 2011 | Published: May 18, 2011

Aliases

W32/Alureon.AMG

Norman

Trojan.Win32.Alureon (Ikarus)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection initially created:
Definition: 1.103.2020.0
Released: May 18, 2011

Summary

Trojan:Win32/Alureon.gen!AB is the generic detection for a member of the Win32/Alureon family. It drops another malware, tries to delete the Hosts file, and tries to create a virtual file system (VFS). It may also connect to certain servers.

Top

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Top

Technical Information (Analysis)

Installation

Trojan:Win32/Alureon.gen!AB drops a copy of itself as a DLL file with the following file name:

%temp%\<random string>.tmp

Payload

Drops other malware
Trojan:Win32/Alureon.gen!AB attempts to install its copy as a local print provider named "sdk" and manually start it using the "spooler" service. It then deletes its originally running copy.

It also drops a driver file to the disk with the following file name:

%windir%\temp\

Trojan:WinNT/Alureon.L

Trojan:Win32/Alureon.gen!AB adds the following registry entries to ensure that its dropped driver file automatically runs when Windows starts:

In subkey: HKLM\System\CurrentControlSet\Services\<random string>
Sets value: "Imagepath"
With data: "\??\%windir%\temp\<random string>.tmp"
Sets value: "Type"
With data: "1"

Deletes the Hosts file
Trojan:Win32/Alureon.gen!AB attempts to delete the Windows Hosts file.

Creates a virtual file system (VFS)
Trojan:Win32/Alureon.gen!AB attempts to create a virtual file system (VFS), in which it adds the following files:

cmd.dll

cmd64.dll

tests

config.ini

cfg.ini

bckfg.tmp

ldr32

ldr64

drv32

drv64

It also attempts to write the following information to the "config.ini" or "cfg.ini" files inside the created VFS:

[main]
version=<some values>
botid=<some values>
affid=<some values>
subid=<some values>
sid=<some values>
[inject]
*=<some values>
installdate=<some values>
builddate=<some values>
[cmd]
srv=<some values>
wsrv=<some values>
psrv=<some values>

Connects to servers
Trojan:Win32/Alureon.gen!AB attempts to connect to several servers. Some of the servers it tries to connect to are the following:

4tag16ag100.com

zna61udha01.com

dg6a51ja813.com

7gaur15eb71.com

ka18i7gah10.com

bangl24nj14.com

lkeopee32.com

63.223.106.16

63.223.106.17

iau71nag001.com

baj19kall10.com

cikh71ynks66.com

clkh71yhks66.com

Gathers information about the computer
On a 64-bit computer running Windows, Trojan:Win32/Alureon.gen!AB may attempts to gather the following information:

Windows version and build
Current date and time

It then sends the gathered information to any of the following servers:

cloudnanoconnnection.info

socketopencloud.ru

socketopencloud.su

updatebackupserver.com

updatebackupserver.kz

updatebackupserver.ru

updatebackupserver.su

updateconnection.com

Analysis by Jonathan San Jose

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Additional remediation instructions for Trojan:Win32/Alureon.gen!AB

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

Recreating a clean Hosts file: http://support.microsoft.com/kb/972034
Using the system's recovery options:
- For Windows XP: Installing and using the Recovery Console in Windows XP
- For Windows Vista: System Recovery Options in Windows Vista
- For Windows 7: System Recovery Options in Windows 7
For other support and help related articles, go to:
- Windows 7: http://support.microsoft.com/gp/windows7
- Windows Vista: http://support.microsoft.com/ph/11732
- Windows XP: http://support.microsoft.com/ph/1173
Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.