Follow:

 

Win32/Alureon


Microsoft security software detects and removes this threat.

Win32/Alureon are a family of data-stealing trojans. They allow a hacker to collect confidential information stored in your PC, such as your user names, passwords, and credit card data.

They can also send malicious data to your PC and corrupt some driver files, making them unusable.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

However, in some cases you may need to use the free tool Windows Defender Offline to fully clean your PC:

The following articles may help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community or our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation and payload

Changes DNS server settings

Win32/Alureon contains different malicious components. The following are three examples of these components:

One component specifies the DNS servers used by your PC. To do so, this component sets DNS server addresses for each network adapter on your PC by changing values in certain registry subkeys associated with the adapters.

For example, the component might change these registry values:

In subkey: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Value: "DhcpNameServer"

In subkeys of the key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Values:
"NameServer"
"DhcpNameServer"

This component can also set the following fields to specific DNS servers in the stored dial-up configuration data:

  • IpDnsAddress
  • IpDns2Address

It resets these fields if your PC already has data in these fields. The dial-up configuration file is located in:

  • %ALLUSERPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk

To let these new DNS settings immediate effect, Alureon runs the following commands:

ipconfig.exe /flushdns
ipconfig.exe /registerdns
ipconfig.exe /dnsflush
ipconfig.exe /renew
ipconfig.exe /renew_all

A second Alureon component does the following:

  • Create a randomly named copy of itself in the <system folder>
  • Inject threads into local processes to delete itself and do other tasks
  • Create registry entries under the key HKCR
  • Create registry subkeys such as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

A third Alureon component does the following:

  • Gather URLs from your browser history
  • Create a new registry value in the subkey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion and place random data in it
  • Create a randomly named copy of itself under the <system folder>
  • Add this entry to the registry so that the trojan copy runs automatically each time Windowsstarts:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<name of trojan copy>"
    With data: "<path to trojan copy>"

  • Delete the following registry entries under the subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
    • The registry value whose name matches the name of the trojan file that is currently running.
    • The registry subkey whose name matches the name of the trojan file that is currently running.
  • Run the default web browser and inject code into this new browser process; the injected code might change DNS server settings on your PC and download and run files from certain websites
  • Run a new instance of explorer.exe and inject code into this new process; the injected code might delete the copy of this trojan that's currently running, to avoid detection by your security software

Corrupts drivers

Some variants of Alureon can infecting the miniport driver associated with the hard disk of the operating system, causing the driver file to become corrupted and unusable. For the most common PC configuration (PCs using ATA hard disk drives) the ATA miniport driver atapi.sys is the target driver file. However, other files can also be targeted.

The most commonly-targeted driver files are:

  • atapi.sys
  • iastor.sys
  • iastorv.sys
  • idechndr.sys
  • nvata.sys
  • nvatabus.sys
  • nvgts.sys
  • nvstor.sys
  • nvstor32.sys
  • sisraid.sys

Disables proxy settings

Some Alureon components can disable or clear existing Internet Explorer proxy settings.


Symptoms

Symptoms of a Win32/Alureon infection vary according to the particular variant, for example:

  • Your keyboard might be disabled
  • Windows XP unexpectedly requests activation as infected drivers simulate a significant hardware change

Prevention


Alert level: Severe
This entry was first published on: Mar 02, 2007
This entry was updated on: Apr 14, 2014

This threat is also detected as:
  • TR/Dldr.DNSChanger (Avira)
  • Win32/Alureon (CA)
  • Trojan.DnsChange (Dr.Web)
  • Trojan.Zlob (Ikarus)
  • Trojan-Downloader.Win32.Zlob (Kaspersky)
  • DNSChanger (McAfee)
  • Troj/Zlob (Sophos)
  • Trojan-Downloader.Win32.Femad (Sunbelt Software)
  • Trojan.Zlob (Symantec)
  • TROJ_DNSCHAN (Trend Micro)