Home / malwarePDF  

Trojan:Win32/Alureon.DN


First posted on 13 July 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Alureon.DN is also known as Win-Trojan/Tdss.57344.C (AhnLab), W32/Alureon.U.gen!Eldorado (Authentium (Comm, Trojan.Win32.Tdss.bdkg (Kaspersky), W32/DNSChanger.HNAV (Norman), Trojan.Tdss.UIL (VirusBuster), Trojan horse Generic17.CANZ (AVG), TR/TDss.bdkg.36 (Avira), Trojan.TDss.AEB (BitDefender), Trojan.DownLoad1.58684 (Dr.Web), Trojan.Win32.Tdss (Ikarus), DNSChanger!ea (McAfee), Mal/TDSSPack-Q (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), Packed.Generic.277 (Symantec), TROJ_TDSS.AJD (Trend Micro).

Explanation :

Trojan:Win32/Alureon.DN is a detection of a DLL component of the Win32/Alureon family. The malware may attempt to embed HTML code into Web pages the affected user browses, and may attempt to redirect certain URLs.
Top

Trojan:Win32/Alureon.DN is a detection of a DLL component of the Win32/Alureon family. The malware may attempt to embed HTML code into Web pages the affected user browses, and may attempt to redirect certain URLs. Installation Trojan:Win32/Alureon.DN may be dropped by other members of the Alureon family as <systemroot>\system32\pragmabbr.dll. Trojan:Win32/Alureon.DN is run by the following EXE processes:

  • "iexplore.exe"
  • "firefox.exe"
  • "safari.exe"
  • "chrome.exe"
  • Payload Connects to remote servers / Downloads arbitrary files Trojan:Win32/Alureon.DN has been observed connecting to the following remote servers: finderoce.org findextcade.org findincese.org The malware does this in order to report infection and download the following file: <%TEMP%>\pragmamainqt.dll Note - <%TEMP%> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp. Redirects Web pagesTrojan:Win32/Alureon.DN attempts to redirect Web pages the affected user is trying to visit, however will not redirect URLs that contain any of the following strings: "yimg." "rds.yahoo.""google."".google""bing.""yahoo.""atdmt.""aolcdn.""atwola.com"".aol.""dmn.aol.""sa.aol."".icq.""dw.com."".gstatic.""img.youtube.""i.i.com.""google-analytics.com"".everesttech."".ixnp.""googleapis."".alexametrics.""scorecardresearch.com""alltheweb.""altavista.""microsofttranslator.""microsofttranslator.""askcache.""searchapi.search.aol.""cc.msnscache.com"".googlehosted.com"."gesualdo.alexa.""click-analytics.google.com""search/cache""/search/search""search/redir""alexa.com""facebook."

    Analysis by Shawn Wang

    Last update 13 July 2010

     

    TOP