Trojan:Win32/Alureon.DX is a rootkit that differs in behavior depending on whether the operating system is 32-bits or 64-bits.
Trojan:Win32/Alureon.DX is a component of
Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
On a 32-bit-based operating system:
Trojan:Win32/Alureon.DX copies itself to the %Temp% directory \\?\globalroot\Device\HarddiskVolume1\directory\sourcefile.exe, as, for example
%temp%\tmpfile1.tmp
.
It then converts its copy into a DLL file, for example, %temp%\tmpfile1.tmp is converted to
%temp%\tmpfile2.tmp
.
It attempts to install the DLL file as a print provider.
Trojan:Win32/Alureon.DX may attempt to manually start the "spooler" service. If it fails, it tries a second time.
The DLL file drops a driver to the disk, for example %temp%\tmpfile3.tmp. The dropped driver is detected as Trojan:WinNT/Alureon.L.
Trojan:Win32/Alureon.DX makes the following registry modifications for the dropped driver, before attempting to load the driver:
Adds value: "Imagepath"
With data: "\??\%temp%\<driver file name>.tmp"
In subkey: HKLM\ System\CurrentControlSet\Services\<service name>
Adds value: "Type"
With data: "1"
In subkey: HKLM\ System\CurrentControlSet\Services\<service name>
Where <service name> is a string of randomly generated characters.
These modifications are then deleted.
Trojan:Win32/Alureon.DX generates a unique GUID by retrieving data from the following registry key value:
-
\registry\machine\software\microsoft\cryptography\machineguid
Trojan:Win32/Alureon.DX copies the following files to an encrypted virtual file system (VFS):
-
bckfg.tmp
-
cfg.ini
-
cmd.dll
-
cmd64.dll
-
drv32
-
drv64
-
ldr16
-
ldr32
-
ldr64
The dropped driver is responsible for loading these files from the encrypted VFS. It is also responsible for modifying the Master Boot Record (MBR). The modified MBR is detected as Trojan:DOS/Alureon.A
On a 64-bit-based operating system:
Trojan:Win32/Alureon.DX writes directly into the encrypted virtual file system (VFS). It also attempts to directly modify the Master Boot Record (MBR). After attempting these modifications, it attempts to force a reboot of the computer.
Additional information
Contacts remote servers
Trojan:Win32/Alureon.DX attempts to contact the following servers:
-
34jh7alm94.asia
-
61.61.20.132
-
61.61.20.135
-
68b6b6b6.com
-
91jjak4555j.com
-
a74232357.cn
-
a76956922.cn
-
cri71ki813ck.com
-
lk01ha71gg1.cc
-
nyewrika.in
-
rukkieanno.in
-
zl091kha644.com
Analysis by Scott Molenkamp