Home / malwarePDF  

TrojanDropper:Win32/Alureon.J


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Alureon.J is also known as Also Known As:Trojan.Virantix.C (Symantec), :W32/Spamta.AHO.worm (Panda), Rootkit.Win32.Clbd.hf (Kaspersky), Generic.Malware.FVwdld.E32C0B99 (BitDefender).

Explanation :

TrojanDropper:Win32/Alureon.J is the detection for a DLL component of malware that is usually dropped and installed in the system by other malware. It may download and execute other files, block access to certain websites, and redirect searches. For more information, please refer to the description of the Win32/Alureon family.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry keys:
    HKLMsoftware dss
    HKLMSOFTWAREMicrosoftWindows NTCurrentVersion dssData
  • You cannot connect to certain websites, such as the following:
    • 247fixes.com
    agnitum.com
    antispywareoffensief.nl
    arcabit.com
    armor2net.com
    atribune.org
    atwola.com
    auditmypc.com
    aumha.org
    avast
    avg.com
    avira.com
    avp.ch
    avp.com
    avp.ru
    besttechie.net
    beyondlogic.org
    bfccomputers.com
    bitdefender
    bleepingcomputer.com
    bluemedicine.be
    boardreader.com
    ca.com
    castlecops.com
    cexx.org
    comodo.com
    cybertechhelp.com
    d-a-l.com
    dellcommunity.com
    diamondcs
    download.microsoft.com
    drweb
    dslreports.com
    enigmasoftwaregroup.com
    eset
    eset.com
    estdomains.com
    f-secure.com
    forospyware.com
    forum.aumha.org
    forums.techguy.org
    forums.whatthetech.com
    free-av.com
    gdata.de
    geekstogo.com
    gladiator-antivirus.com
    gmer.net
    grc.com
    grisoft.com
    grisoft.cz
    hijackthis-forum.de
    hijackthis.nl
    hosting.ua
    hqhost.net
    ibforums.com
    internetworldstats.com
    javacoolsoftware.com
    kaspersky-labs.com
    kaspersky.com
    kaspersky.ru
    kasperskylabs.com
    kerio.com
    lavasoft
    lavasoft.com
    lavasoftsupport.com
    lavasoftusa
    layeredtech.com
    linhadefensiva.org
    maddoktor2.com
    majorgeeks.com
    malekal.com
    malwarebytes.org
    malwareremoval.com
    mcafee.com
    moosoft.com
    msdn.microsoft.com
    my-etrust.com
    nai.com
    networkassociates.com
    newbie.org
    noadware.net
    nod32
    norton.com
    pandasoftware
    pandasoftware.com
    pcflank.com
    pchell.com
    pcmasters.deforum
    pcpitstop.com
    pctools.com
    peb.pl
    phx.corporate-ir.net
    prevx.com
    safer-networking.de
    safer-networking.org
    security-forums.com
    security.kolla.de
    securitycadets.com
    secuser.model-fx
    sophos.com
    spybot.info
    spybot.safer-networking.de
    spywarefri.dk
    spywareinfo.com
    spywareinfoforum.com
    spywarewarrior.com
    stompsoft.com
    suggestafix.com
    superantispyware.com
    support.microsoft.com
    sygate.com
    symantec.com
    symantecliveupdate
    symantecliveupdate.com
    techguy.org
    techsupportforum.com
    techweb.com
    temerc.com
    thatcomputerguy.us
    thespykiller.co.uk
    tinysoftware.com
    trendmicro.com
    trendsecure.com
    update.microsoft.com
    update.symantec.com
    upgrade.bitdefender.com
    viruslist
    virusscan
    virustorjunta.net
    virustotal
    webuser.co.uk
    whatthetech.com
    windowsupdate.microsoft.com
    x.akamai.net
    yandex-team.ru
    zango.com
    zonealarm.com
    zonelabs
    zonelabs.com
  • You are redirected to other websites, such as "analitic-checks.google.com", when trying to go to "google.com".


    • TrojanDropper:Win32/Alureon.J is the detection for a DLL component of malware that is usually dropped and installed in the system by other malware. It may download and execute other files, block access to certain websites, and redirect searches. For more information, please refer to the description of the Win32/Alureon family.

    Installation
    TrojanDropper:Win32/Alureon.J arrives in the system as a DLL file with a varying file name. Once it is loaded, it verifies if it is loaded by the following processes, and exists if this is the case: alg.exe
    lsass.exe
    spoolsrv.exe
    winlogon.exe
    services.exe
    inetinfo.exe
    wuauclt.exe
    explorer.exe
    ctfmon.exe
    opera.exe If the process that loads it is "svchost.exe", it then creates the mutex "SkGLGh58VhjfE9" and the following registry entry: Adds value: "injector"
    With data: "<malware file name>.dll"
    To subkey: "HKLMsoftware dss" It stores information about itself by creating registry entries, such as the following: Adds value: "affid", "control", "downloaded_url", "flagged", "googleadserver", "prov", "subid"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersion dssData

    Payload
    Blocks Security-Related WebsitesTrojanDropper:Win32/Alureon.J blocks system access to certain websites such as the following, most of which are security related: 247fixes.com
    agnitum.com
    antispywareoffensief.nl
    arcabit.com
    armor2net.com
    atribune.org
    atwola.com
    auditmypc.com
    aumha.org
    avast
    avg.com
    avira.com
    avp.ch
    avp.com
    avp.ru
    besttechie.net
    beyondlogic.org
    bfccomputers.com
    bitdefender
    bleepingcomputer.com
    bluemedicine.be
    boardreader.com
    ca.com
    castlecops.com
    cexx.org
    comodo.com
    cybertechhelp.com
    d-a-l.com
    dellcommunity.com
    diamondcs
    download.microsoft.com
    drweb
    dslreports.com
    enigmasoftwaregroup.com
    eset
    eset.com
    estdomains.com
    f-secure.com
    forospyware.com
    forum.aumha.org
    forums.techguy.org
    forums.whatthetech.com
    free-av.com
    gdata.de
    geekstogo.com
    gladiator-antivirus.com
    gmer.net
    grc.com
    grisoft.com
    grisoft.cz
    hijackthis-forum.de
    hijackthis.nl
    hosting.ua
    hqhost.net
    ibforums.com
    internetworldstats.com
    javacoolsoftware.com
    kaspersky-labs.com
    kaspersky.com
    kaspersky.ru
    kasperskylabs.com
    kerio.com
    lavasoft
    lavasoft.com
    lavasoftsupport.com
    lavasoftusa
    layeredtech.com
    linhadefensiva.org
    maddoktor2.com
    majorgeeks.com
    malekal.com
    malwarebytes.org
    malwareremoval.com
    mcafee.com
    moosoft.com
    msdn.microsoft.com
    my-etrust.com
    nai.com
    networkassociates.com
    newbie.org
    noadware.net
    nod32
    norton.com
    pandasoftware
    pandasoftware.com
    pcflank.com
    pchell.com
    pcmasters.deforum
    pcpitstop.com
    pctools.com
    peb.pl
    phx.corporate-ir.net
    prevx.com
    safer-networking.de
    safer-networking.org
    security-forums.com
    security.kolla.de
    securitycadets.com
    secuser.model-fx
    sophos.com
    spybot.info
    spybot.safer-networking.de
    spywarefri.dk
    spywareinfo.com
    spywareinfoforum.com
    spywarewarrior.com
    stompsoft.com
    suggestafix.com
    superantispyware.com
    support.microsoft.com
    sygate.com
    symantec.com
    symantecliveupdate
    symantecliveupdate.com
    techguy.org
    techsupportforum.com
    techweb.com
    temerc.com
    thatcomputerguy.us
    thespykiller.co.uk
    tinysoftware.com
    trendmicro.com
    trendsecure.com
    update.microsoft.com
    update.symantec.com
    upgrade.bitdefender.com
    viruslist
    virusscan
    virustorjunta.net
    virustotal
    webuser.co.uk
    whatthetech.com
    windowsupdate.microsoft.com
    x.akamai.net
    yandex-team.ru
    zango.com
    zonealarm.com
    zonelabs
    zonelabs.com
    Monitors Traffic from Certain WebsitesTrojanDropper:Win32/Alureon.J monitors and may alter traffic coming in from certain websites, such as the following: go.google.com
    go.yahoo.com
    go.live.com
    go.msn.com
    go.aol.com Downloads Updates or Other FilesTrojanDropper:Win32/Alureon.J may report to, or download updates or other files from certain websites, such as the following: stableclick.com
    updatemicr0s0ft.net
    update.microsofttransfer.com
    compalusa.com
    asiuoqgusdbaksd.com
    wikiei.com
    clubgamecasino.com Redirects TrafficTrojanDropper:Win32/Alureon.J may redirect traffic to bogus websites, such as "analitic-checks.google.com". It may also report data to these websites. These sites may be associated with fake antivirus products.

    Analysis by Patrik Vicol

    Last update 04 February 2009

     

    TOP

    Malware :

    Family: