Trojan:DOS/Alureon.F

Trojan:DOS/Alureon.F is a Master Boot Records (MBR) infected by certain variants of the Win32/Alureon rootkit family. The rootkit can infect both 32-bit and 64-bit systems.

Installation

MBRs detected as Trojan:DOS/Alureon.F are usually infected by Trojan:Win32/Alureon.FE.

Payload

Installs other malware components

When executed, Trojan:DOS/Alureon.F attempts to access the virtual file system (VFS) at the end of physical disk to locate the file 'boot' in the VFS root folder. It then loads 'boot' and transfers control to it.

The file 'boot' prevents Windows from checking digital signatures for drivers, installs itself as a handler for read/write requests from the hard disk, and loads the original MBR, which is stored as 'mbr' in the root VFS folder. It then transfers control to the original MBR.

Each time Windows reads from the hard drive, the file 'boot' intercepts data and monitors if the system debugger component 'KDCOM.DLL' is loaded into memory. If so, 'boot' injects another rootkit component from the VFS root folder named either 'dbg32' or 'dbg64', depending on the computer's architecture, thus forcing Windows to load it instead of the legitimate 'KDCOM.DLL' file.

The loaded rootkit component loads the main rootkit driver, which is responsible for hiding the Alureon rootkit components.

Additional information

Refer to the family description for Win32/Alureon for more information on this family.

Analysis by Wei Li