is a member of Win32/Alureon
- a multi-component family of trojans involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
modifying the affected user's search results (search hijacking)
redirecting the affected user's browsing to sites of the attacker's choice (browser hijacking)
hanging DNS settings to redirect users to sites of the attacker's choice without the affected user's knowledge
downloading and executing arbitrary files, including additional components and other malware
serving illegitimate advertising
installing rogue security software
Win32/Alureon also uses advanced stealth techniques to hinder the detection and removal of its various components.
Some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.
Trojan:Win32/Alureon.CT is a trojan that may send system information to a remote address.
Trojan:Win32/Alureon.BE may be downloaded or dropped by other members of the Alureon family. It is usually installed or dropped in the following location:
<system folder>\spool\PRTPROCS\W32X86\<random letter or number>.tmp
It injects its code into the legitimate process 'spoolsv.exe'.
Drops other malware
Trojan:Win32/Alureon.CT drops the following file:
It creates the following registry entry to enable its dropped file to run as a service:
Adds value: "Image Path"
With data: "%Temp%\<random number or letter>.tmp"
In subkey: HKLM\System\Currentcontrolset\Services\tdlserv
It may also drop other files in the system as:
- detected also as Trojan:Win32/Alureon.CTtdlwsp.dll
- detected as Trojan:Win32/Alureon.gen!Uconfig.ini
- contains malware information
Connects to remote servers
Trojan:Win32/Alureon.CT may connect to the following remote servers and IP address:
It may then send information about the infected system to these servers.
Analysis by Tim Liu
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).