Home / malwarePDF  

Trojan:DOS/Alureon.E


First posted on 22 February 2019.
Source: Microsoft

Aliases :

Trojan:DOS/Alureon.E is also known as Rootkit.MBR.Sst.B, Trojan.DOS.Alureon, Troj/TdlMbr-D.

Explanation :

Installation

Trojan:DOS/Alureon.E is the detection name for infected Volume Boot Records (VBR) produced by certain variants of the Win32/Alureon rootkit family. The rootkit infects both 32-bit and 64-bit PCs and are usually created by Trojan:Win32/Alureon.FE.

Payload

Installs other malware components

This threat tries to access the hidden rootkit file system (VFS) to locate the file 'boot' in the VFS root folder. It then loads 'boot' and transfers control to it.

The file 'boot' prevents Windows from checking digital signatures for drivers, installs itself as a handler for hard disk read/write requests, and loads the original Windows VBR, and transfers control to it.

Each time Windows reads from the hard drive, the file 'boot' intercepts data and monitors if the kernel debugger component 'KDCOM.DLL' is loaded into memory. If so, 'boot' injects another rootkit component from the VFS root folder named either 'dbg32' or 'dbg64', depending on your PC's architecture, thus forcing Windows to load it instead of the legitimate 'KDCOM.DLL' file.

The loaded rootkit component loads the main rootkit driver, which is responsible for hiding the Alureon rootkit components.

The injected file may also prevent the Windows kernel from being debugged and may cause boot failures on PCs running 64-bitWindows XP and 64-bitWindows Server 2003.

Analysis by Sergey Chernyshev

Last update 22 February 2019

 

TOP