Home / malwarePDF  

Trojan:Win32/Alureon.gen!R


First posted on 11 May 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Alureon.gen!R is also known as Also Known As:DNSChanger.f.gen.a (McAfee), Backdoor.Tidserv (Symantec).

Explanation :

Trojan:Win32/Alureon.gen!R is the generic detection for a DLL component of trojan that modifies DNS settings on the infected computer, enabling an attacker to perform malicious tasks. These may include intercepting Internet traffic and thus capturing confidential information such as user names, passwords, and other sensitive data. For more information on this family of trojans please check the Win32/Alureon description in the encyclopedia.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
  • <system folder> dssinit.dll
  • <system folder> dssurls.log
  • %TEMP% dsstempresp.tmp
  • The presence of the following registry subkey:
    HKLMSOFTWAREMicrosoftWindows NTCurrentVersion dssData


    • Trojan:Win32/Alureon.gen!R is the generic detection for a DLL component of trojan that modifies DNS settings on the infected computer to enable an attacker to perform malicious tasks. These may include intercepting Internet traffic and thus capturing confidential information such as user names, passwords, and other sensitive data. For more information on this family of trojans please check the Win32/Alureon description in the encyclopedia.

    Installation
    Trojan:Win32/Alureon.gen!R is a generic detection for a DLL component that is installed by another Alureon malware, usually detected as Trojan:Win32/Alureon.gen!J. It is usually injected into a system process. It checks if the process to which it is injected is any of the following, and exits if this is the case:
  • lsass.exe
  • opera.exe
  • services.exe
  • winlogon.exe
    • If the process to which it is injected is svchost.exe, it creates the mutex, for example SkGLGh58VhjfE9. It may also create the following files as part of its installation routine:
  • <system folder> dssinit.dll
  • <system folder> dssurls.log
  • %TEMP% dsstempresp.tmp
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It creates the following subkey:
    HKLMSOFTWAREMicrosoftWindows NTCurrentVersion dssData

    Payload
    Steals System InformationTrojan:Win32/Alureon.gen!R may intercept Internet traffic and steal confidential information such as user names, passwords, and other sensitive data. It then posts its gathered information to remote Web sites, such as the following:
    backupservice1.net
    domainspubs.com
    findsproportal.com
    findxproportal.com
    findzproportal.com
    microsoftransfer.com
    stableclicks.com
    stableclickz.com
    updateguard.com
    updatemic.com
    updatemics.com It gathers this information by injecting code into certain processes, such as the following, to monitor for specific keywords:avp.exe
    avgexfs.exe
    notepad.exe
    wordpad.exe Redirects Traffic SearchesTrojan:Win32/Alureon.gen!R may redirect Internet traffic or searches to specific Web sites such as the following:
    asiuoqgusdbaksd.com
    asjkdsadsaodsag.com
    clubgamecasino.com
    compalusa.com
    compalusax.com
    complus1.com
    defenderlab.com
    jhdgfjerkidikdx.com
    mnbnweyudssfg.com
    wikiei.com Downloads FilesTrojan:Win32/Alureon.gen!R may download files, which may be detected as other malware, from specific IP addresses. For example, one particular sample is known to download a file as <system folder>windows_update.exe from the IP address 78.157.142.26. Blocks Access to Certain Web SitesTrojan:Win32/Alureon.gen!R blocks access to Web sites containing the following strings, which are mostly Web sites related to security and antivirus products:
    247fixes.com
    abuse.com
    abuse.net
    acens.net
    agnitum.com
    ahbl.org
    andymanchesta.com
    antiphishing.org
    antispywareoffensief.nl
    arcabit.com
    armor2net.com
    atribune.org
    atwola.com
    auditmypc.com
    aumha.org
    avast
    avg.com
    avira.com
    avp.ch
    avp.com
    avp.ru
    bdbrandprotect.com
    besttechie.net
    beyondlogic.org
    bfccomputers.com
    bitdefender
    bl.csma.biz
    bleepingcomputer.com
    bluemedicine.be
    boardreader.com
    castlecops.com
    cert.br
    clean-mx.de
    cogentco.com
    comodo.com
    corpwatch.org
    cpsr.org
    cyberlawenforcement.org
    cybertechhelp.com
    d-a-l.com
    dellcommunity.com
    diamondcs
    download.microsoft.com
    dr-web
    drweb
    dsbl.org
    dslreports.com
    edacdata3.unm.edu
    enigmasoftwaregroup.com
    eset
    eset.com
    estdomains.com
    f-secure.com
    firetrust.com
    forospyware.com
    forum.aumha.org
    forums.techguy.org
    forums.whatthetech.com
    free-av.com
    gdata.de
    geekstogo.com
    gladiator-antivirus.com
    gmer.net
    grc.com
    grisoft.com
    grisoft.cz
    hijackthis-forum.de
    hijackthis.nl
    hosting.ua
    hosts-file.net
    hot-p0rntube.com
    hqhost.net
    ibforums.com
    incodesolutions.com
    internetworldstats.com
    javacoolsoftware.com
    joewein.de
    kaspersky-labs.com
    kaspersky.com
    kaspersky.ru
    kasperskylabs.com
    kerio.com
    ktroy.fi
    lavasoft
    lavasoft.com
    lavasoftsupport.com
    lavasoftusa
    layeredtech.com
    linhadefensiva.org
    maddoktor2.com
    majorgeeks.com
    malekal.com
    malwarebyte
    malwaredomainlist.comficora.fi
    malwarehelp.org
    malwareremoval.com
    mbam.securitywonks.net
    mcafee.com
    moosoft.com
    msdn.microsoft.com
    my-etrust.com
    narod.ru
    networkassociates.com
    newbie.org
    noadware.net
    nod32
    norton.com
    pandasoftware
    pandasoftware.com
    pcflank.com
    pchell.com
    pcmasters.deforum
    pcpitstop.com
    pctools.com
    peb.pl
    phx.corporate-ir.net
    popunder
    prevx.com
    regnow.com
    rsa.com
    safebrowsing.clients.google.com
    safer-networking.de
    safer-networking.org
    scambusters.org
    scanner-center.com
    sdsc.edu
    security-forums.com
    security.kolla.de
    securitycadets.com
    secuser.model-fx
    sophos.com
    spamcop.net
    spamhaus.org
    spybot.info
    spybot.safer-networking.de
    spywarefri.dk
    spywareinfo.com
    spywareinfoforum.com
    spywarewarrior.com
    sspbl.tripod.com
    static.cache.l.google.com
    stompsoft.com
    suggestafix.com
    sunbeltsoftware.com
    superantispyware.com
    support.microsoft.com
    sygate.com
    symantec.com
    symantecliveupdate
    symantecliveupdate.com
    techguy.org
    techsupportforum.com
    techweb.com
    temerc.com
    thatcomputerguy.us
    thespykiller.co.uk
    tinysoftware.com
    trendmicro.com
    trendsecure.com
    update.microsoft.com
    update.symantec.com
    upgrade.bitdefender.com
    usdoj.gov
    viruslist
    virusscan
    virustorjunta.net
    virustotal
    webuser.co.uk
    whatthetech.com
    windowsupdate.com
    windowsupdate.microsoft.com
    winpatrol.com
    x.akamai.net
    yandex-team.ru
    zango.com
    zonealarm.com
    zonelabs
    zonelabs.com

    Analysis by Patrik Vicol

    Last update 11 May 2009

     

    TOP

    Malware :

    Family: