Microsoft security software detects this threat.

This family of data-stealing trojans can give a malicious hacker access to collect confidential information stored in your PC, such as your user names, passwords, and credit card data.

They can also send malicious data to your PC and corrupt some driver files, making them unusable.

Find out ways that malware can get on your PC.

What to do now

Use the following free Microsoft software to detect this threat:

You should also run a full scan. A full scan might find other, hidden malware. 

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation and payload

Changes DNS server settings

Win32/Alureon contains different malicious components. The following are three examples of these components:

One component specifies the DNS servers used by your PC. To do so, this component sets DNS server addresses for each network adapter on your PC by changing values in certain registry subkeys associated with the adapters.

For example, the component might change these registry values:

In subkey: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Value: "DhcpNameServer"

In subkeys of the key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

This component can also set the following fields to specific DNS servers in the stored dial-up configuration data:

  • IpDnsAddress
  • IpDns2Address

It resets these fields if your PC already has data in these fields. The dial-up configuration file is located in:

  • %ALLUSERPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk

To let these new DNS settings immediate effect, Alureon runs the following commands:

ipconfig.exe /flushdns
ipconfig.exe /registerdns
ipconfig.exe /dnsflush
ipconfig.exe /renew
ipconfig.exe /renew_all

A second Alureon component does the following:

  • Create a randomly named copy of itself in the <system folder>
  • Inject threads into local processes to delete itself and do other tasks
  • Create registry entries under the key HKCR
  • Create registry subkeys such as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

A third Alureon component does the following:

  • Gather URLs from your browser history
  • Create a new registry value in the subkey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion and place random data in it
  • Create a randomly named copy of itself under the <system folder>
  • Add this entry to the registry so that the trojan copy runs automatically each time Windowsstarts:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<name of trojan copy>"
    With data: "<path to trojan copy>"

  • Delete the following registry entries under the subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
    • The registry value whose name matches the name of the trojan file that is currently running.
    • The registry subkey whose name matches the name of the trojan file that is currently running.
  • Run the default web browser and inject code into this new browser process; the injected code might change DNS server settings on your PC and download and run files from certain websites
  • Run a new instance of explorer.exe and inject code into this new process; the injected code might delete the copy of this trojan that's currently running, to avoid detection by your security software

Corrupts drivers

Some variants of Alureon can infecting the miniport driver associated with the hard disk of the operating system, causing the driver file to become corrupted and unusable. For the most common PC configuration (PCs using ATA hard disk drives) the ATA miniport driver atapi.sys is the target driver file. However, other files can also be targeted.

The most commonly-targeted driver files are:

  • atapi.sys
  • iastor.sys
  • iastorv.sys
  • idechndr.sys
  • nvata.sys
  • nvatabus.sys
  • nvgts.sys
  • nvstor.sys
  • nvstor32.sys
  • sisraid.sys

Disables proxy settings

Some Alureon components can disable or clear existing Internet Explorer proxy settings.


Symptoms of a Win32/Alureon infection vary according to the particular variant, for example:

  • Your keyboard might be disabled
  • Windows XP unexpectedly requests activation as infected drivers simulate a significant hardware change


Alert level: Severe
This entry was first published on: Mar 02, 2007
This entry was updated on: Dec 30, 2014

This threat is also detected as:
  • TR/Dldr.DNSChanger (Avira)
  • Win32/Alureon (CA)
  • Trojan.DnsChange (Dr.Web)
  • Trojan.Zlob (Ikarus)
  • Trojan-Downloader.Win32.Zlob (Kaspersky)
  • DNSChanger (McAfee)
  • Troj/Zlob (Sophos)
  • Trojan-Downloader.Win32.Femad (Sunbelt Software)
  • Trojan.Zlob (Symantec)
  • TROJ_DNSCHAN (Trend Micro)