Threat behavior
Trojan:Win32/Alureon.DN is a detection of a DLL component of the Win32/Alureon family. The malware may attempt to embed HTML code into Web pages the affected user browses, and may attempt to redirect certain URLs.
Installation
Trojan:Win32/Alureon.DN may be dropped by other members of the Alureon family as <systemroot>\system32\pragmabbr.dll.
Trojan:Win32/Alureon.DN is run by the following EXE processes:
- "iexplore.exe"
- "firefox.exe"
- "safari.exe"
- "chrome.exe"
Payload
Connects to remote servers / Downloads arbitrary files
Trojan:Win32/Alureon.DN has been observed connecting to the following remote servers:
finderoce.org
findextcade.org
findincese.org
The malware does this in order to report infection and download the following file:
<%TEMP%>\pragmamainqt.dll
Note - <%TEMP%> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp.
Redirects Web pages
Trojan:Win32/Alureon.DN attempts to redirect Web pages the affected user is trying to visit, however will not redirect URLs that contain any of the following strings:
"yimg."
"rds.yahoo."
"google."
".google"
"bing."
"yahoo."
"atdmt."
"aolcdn."
"atwola.com"
".aol."
"dmn.aol."
"sa.aol."
".icq."
"dw.com."
".gstatic."
"img.youtube."
"i.i.com."
"google-analytics.com"
".everesttech."
".ixnp."
"googleapis."
".alexametrics."
"scorecardresearch.com"
"alltheweb."
"altavista."
"microsofttranslator."
"microsofttranslator."
"askcache."
"searchapi.search.aol."
"cc.msnscache.com"
".googlehosted.com".
"gesualdo.alexa."
"click-analytics.google.com"
"search/cache"
"/search/search"
"search/redir"
"alexa.com"
"facebook."
Analysis by Shawn Wang
Prevention