Trojan:Win32/Alureon.DH is a member of
Win32/Alureon - a multi-component family of trojans involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating an affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
-
modifying the affected user's search results (search hijacking)
-
redirecting the affected user's browsing to sites of the attacker's choice (browser hijacking)
-
hanging DNS settings to redirect users to sites of the attacker's choice without the affected user's knowledge
-
downloading and executing arbitrary files, including additional components and other malware
-
serving illegitimate advertising
-
installing rogue security software
-
banner clicking
Win32/Alureon also uses advanced stealth techniques to hinder the detection and removal of its various components.
Some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.
Trojan:Win32/Alureon.DH is used to download and install other malware.
Installation
Trojan:Win32/Alureon.DH may be present as a semi-randomly named file in the Windows system folder in the following format:
<system folder>\h8srt<randomchars>.dll - for example, "h8srtejsuwmelgm.dll"
The trojan checks if it is loaded/injected by the following Web browser and Windows processes, if not it exits:
iexplore.exe
explorer.exe
svchost.exe
chrome.exe
safari.exe
opera.exe
firefox.exe
If it was loaded by "svchost.exe" then it might create the following mutex:
a5e94d5f-f570-47db-93b5-7eb3ff31c01e
Additionally, the trojan may create a registry subkey named "HKLM\Software\H8SRT".
Payload
Display pop-up advertisements
Trojan:Win32/Alureon.DH may display unrequested pop-up advertisements while browsing the Internet.
Downloads arbitrary files
The trojan may contact various domains in an attempt to download additional malware. This trojan was observed connecting with the domain "hardlyfind.com".
Blocks certain Web sites
Trojann:Win32/Alureon.DH hooks the following Windows APIs to assist in blocking certain Web sites:
wininet.dll: InternetConnectA
wininet.dll: HttpOpenRequestA
wininet.dll: HttpAddRequestHeadersA
wininet.dll: InternetConnectW
wininet.dll: HttpOpenRequestW
wininet.dll: HttpAddRequestHeadersW
dnsapi.dll: DnsQuery_W
dnsapi.dll: DnsQuery_A
The following list contains names of help-related sites that are blocked by the trojan:
2-free.net
2-spyware.com
2-viruses.com
411-spyware.com
PCTHREAT.com
answers.yahoo.com
anti-spyware-101.com
antispyware.com
antispyware.wetpaint.com
averyjparker.com
beyondsecurity.com
bharath-m-narayan.blogspot.com
bleepingcomputer.com
blogcatalog.com
brothersoft.com
cantalktech.com
carnegiecyberacademy.com
cid-556a72d9038a7868.spaces.live.com
comprolive.com
downloadbox.org
enigmasoftware.com
exterminate-it.com
ezinearticles.com
fakeware.ru
findmysoft.com
forum.drweb.com
freepcsecurity.co.uk
geekstogo.com
hands-oncorp.com
im-infected.com
iobit.com
kiguolis.com
lognrock.com
malwarehelp.org
myantispyware.com
news.loaris.com
pc1news.com
pcindanger.com
pcthreat.com
powerclickz.com
precisesecurity.com
removal-tool.com
remove-malware.net
remove-spy.blogspot.com
removeit.info
removevirus.org
rogue-malware.blogspot.com
rogueantispyware.blogspot.com
snpx.com
spyna.com
spyware-techie.com
spywaredetector.net
spywareremove.com
spywares-remove.com
spywarevoid.com
tech.yahoo.com
wareseeker.com
webtoolsandtips.com
whois.domaintools.com
windowsprotection.net
xp-vista.com
zimbio.com
howtofixcomputers.com
pc-helpforum.be
virusremovalguru.com
hijackthis.nl
trojan-killer.net
spywarefixpro.com
indobids.com
Additionally, this trojan uses an encrypted configuration data file to manipulate the Web browser. The data file is semi-randomly named such as the following example:
%ALLUSERSPROFILE%\Application Data\h8srtkrl32mainweq.dll
Analysis by Andrei Florin Saygo
