Home / malware Trojan:WinNT/Alureon.H
First posted on 28 September 2010.
Source: SecurityHomeAliases :
There are no other names known for Trojan:WinNT/Alureon.H.
Explanation :
Trojan:WinNT/Alureon.H is detection for kernel-mode driver component of members of the Win32/Alureon family. The component functions as a rootkit to hide it and other components of the Win32/Alureon trojan family.
Top
Trojan:WinNT/Alureon.H is detection for kernel-mode driver component of members of the Win32/Alureon family. The component functions as a rootkit to hide it and other components of the Win32/Alureon trojan family. InstallationWinNT/Alureon.H may be installed by other components of the Win32/Alureon family and may be present as a randomly named file in the temporary files folder as in the following example: %TEMP%\ahklw.tmp The trojan stores its main body and other component files near the end of the local drive and encrypts the stored data. Payload Infects a Windows driverWinNT/Alureon.H randomly selects an installed Windows driver file to infect, selecting among files such as "pci.sys", "win32k.sys", "dmload.sys", "IntelIde.sys" and others. The modified driver is detected as Virus:Win32/Alureon.H. Once a selected driver is successfully infected, it will load the Alureon main components physically stored in an encrypted part of the last sector of the local hard drive. Hides Win32/Alureon componentsThe trojan reads configuration data stored in a file "config.ini" to determine which process the trojan will select to inject code, such as "svchost.exe". The trojan injects a DLL component "tdlcmd.dll" into the running process. WinNT/Alureon.H attempts to hide the presence of components of Win32/Alureon. Trojan:WinNT/Alureon.H will also return misleading results when certain security software attempts to access the infected driver or it's protected file system.
Analysis by Tim LiuLast update 28 September 2010