Home / malware Trojan:Win32/Alureon.EC
First posted on 06 October 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Alureon.EC is also known as Backdoor.Win32.TDSS.ahg (Kaspersky), Backdoor.TDSS.YYV (VirusBuster), BackDoor.Generic13.BPJ (AVG), BDS/TDSS.ahf (Avira), Trojan.TDSS.AGQ (BitDefender), BackDoor.Siggen.26107 (Dr.Web), Win32/Olmarik.ADF (ESET), Backdoor.Win32.TDSS (Ikarus), Generic.dx!tty (McAfee), Mal/TDSSPack-AF (Sophos), Packed.Win32.Tdss.ad (Sunbelt Software), TROJ_TDSS.SMET (Trend Micro).
Explanation :
Trojan:Win32/Alureon.EC is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Top
Trojan:Win32/Alureon.EC is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer. Installation In the wild, we have observed Trojan:Win32/Alureon.EC being installed by other components of the Win32/Alureon family, and a number of rogue families. Upon execution, the trojan drops itself as a .dll to the following location: <system folder>\spool\prtprocs\w32x86\<random name>.dll Trojan:Win32/Alureon.EC loads the DLL by adding it to the computer's print processor provider. It then calls the Printing Subsystem hosted by the spoolsv.exe process, and forces spoolsv.exe to load the malicious DLL remotely. The trojan will then move itself to the %TEMP% folder with random name: %TEMP%\<random name> The malware will delay deleting itself until next reboot, in order to prevent anti-virus software from detecting it easily; it does this by making the following registry modifications: In subkey: \Registry\Machine\System\CurrentControlSet\Control\Session ManagerSets value: "PendingFileRenameOperations"With data: "<system folder>\spool\prtprocs\w32x86\random name.dll" Trojan:Win32/Alureon.EC drops the driver component to %TEMP% folder: %TEMP%\<random name>.sys - detected as Trojan:WinNT/Alureon.H Trojan:Win32/Alureon.EC then drops two other components to its own file system:tdlcmd.dll config.ini Payload Modifies DNS settings Trojan:Win32/Alureon.EC modifies the DHCP registry to point to a malicious DHCP server: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6D27B2D4-5401-454C-A38E-BFB25BE2736A}Sets value: "DhcpNameServer"With data: "93.188.163.181,93.188.166.181" In subkey: "DhcpNameServer"Sets value: "93.188.163.181,93.188.166.181"With data: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Contacts remote hostThe trojan attempts to divert the affected user's attention by redirecting a web browser to www.microsoft.com, while it collects information from the affected computer and sends this information to the following domains:topeate.com/kx.php dynvolume.com
Analysis by Tim LiuLast update 06 October 2010