Home / malware Trojan:Win32/Alureon.BH
First posted on 24 April 2009.
Source: SecurityHomeAliases :
Trojan:Win32/Alureon.BH is also known as Also Known As:Mal/Alureon-C (Sophos), Rootkit.Win32.TDSS.eyj (Kaspersky).
Explanation :
Trojan:Win32/Alureon.BH is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
Trojan:Win32/Alureon.BH is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Installation
Trojan:Win32/Alureon.BH may be installed by other components of the Win32/Alureon family, for example, we have observed this component being dropped by Trojan:Win32/Alureon.BK. It is loaded by the operating system when "spoolsv.exe" is launched.
Payload
Distributes Additional Alureon ComponentsIn order to spread to additional machines, Trojan:Win32/Alureon.BH may drop an Alureon installer component to all accessible drives. It drops this component to <accessible drive>:RECYCLER using a file name comprised of strings of random numbers with a .com file extension, for example C:RECYCLERS-1-5-21-1343024091-688789844-854245398-1003.com
It also creates an autorun.inf in the root of these drives. The autorun.inf file (detected as Trojan:Win32/Alureon!inf) contains execution instructions for the operating system which are invoked when the drive is viewed using Windows Explorer, thus executing the dropped component, and enabling Alureon to spread. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. Backdoor FunctionalityTrojan:Win32/Alureon.BH connects to a remote server to retrieve and execute commands involving the installation of more components, including the components that perform this family's data-stealing payload. For example, in the wild, Trojan:Win32/Alureon.BH was observed contacting IP 94.247.2.193:80 for this purpose. Using this backdoor, an attacker can perform the following actions on an affected machine:Download additional files from the remote server Execute the downloaded file directly Load the downloaded file (DLL component) directly Install the downloaded file (Device driver component) as a device driver and load it. For more information, please see the Win32/Alureon family description elsewhere in our encyclopedia.
Analysis by Shawn WangLast update 24 April 2009
