Home / malwarePDF  

Trojan:Win32/Alureon.gen!AD


First posted on 17 April 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Alureon.gen!AD is also known as Trojan/Win32.Tdss (AhnLab), BackDoor.Tdss.5070 (Dr.Web), Mal/EncPk-AAL (Sophos), Backdoor.Tidserv (Symantec).

Explanation :

Trojan:Win32/Alureon.gen!AD is the generic detection for variants of the Win32/Alureon family. This malware can execute in 64-bit versions of Windows and uses exploits to install other Alureon components. It communicates with a remote server to report its installation and to download updates of the malware. This variant uses advanced stealth techniques such as modifying the Master Boot Record (MBR) to hinder detection and removal of its various components.


Top

Trojan:Win32/Alureon.gen!AD is the generic detection for variants of the Win32/Alureon family. This malware can execute in 64-bit versions of Windows and uses exploits to install other Alureon components. It communicates with a remote server to report its installation and to download updates of the malware. This variant uses advanced stealth techniques such as modifying the Master Boot Record (MBR) to hinder detection and removal of its various components.



Installation

This trojan may be installed by other malware, such as the following:

  • TrojanDownloader:Win32/Harnig.S
  • TrojanDownloader:Win32/Renos.PG
  • TrojanDownloader:Win32/Renos.PT
  • Trojan:Win32/Koobface.J
  • Trojan:Win32/Dantmil.A
  • Trojan:BAT/Mirias.A
  • Trojan:Win32/Rootkit.F
  • Worm:Win32/Vobfus.DA


The installed components may be detected as some or all of the following:

  • Trojan:Win32/Alureon.DX
  • VirTool:Win32/Obfuscator.PN
  • Trojan:Win32/Alureon.FH
  • Trojan:Win32/Alureon.gen!AA
  • Trojan:Win64/Alureon.C
  • Trojan:Win64/Alureon.gen!C
  • Trojan:Win64/Alureon.gen!B


In 32-bit Windows, Trojan:Win32/Alureon!gen.AD copies itself as the following:

  • %TEMP%\<random number>.tmp


It then converts its copy into a DLL file and installs the DLL as a local print provider. The registry is modified to run the component as a service at each Windows start.

In subkey: HKLM\SYSTEM\ControlSet001\Control\Print\Providers\<random numbers>
Sets value: "Name"
With data: "%temp%\<random filename>.tmp"

In subkey: HKLM\System\CurrentControlSet\Control\Print\Providers
Sets value: "Order"
With data: "lanman print services"

In subkey: HKLM\System\CurrentControlset\Services\<random number>
Sets value: "Imagepath"
With data: "%windir%\temp\<random number>.tmp"

The DLL component of the Trojan:Win32/Alureon!gen.AD will drop and load a driver file which will attempt to modify the Master Boot Record (MBR) of the system. The modified MBR is detected asTrojan:DOS/Alureon.A. Trojan:Win32/Alureon!gen.AD copies the following files to an encrypted virtual file system (VFS):

  • bckfg.tmp
  • cfg.ini
  • cmd.dll
  • cmd64.dll
  • drv32
  • drv64
  • ldr16
  • ldr32
  • ldr64


The dropped driver is responsible for loading these files from the encrypted VFS.

In 64-bit Windows systems, Trojan:Win32/Alureon!gen.AD writes all the file components directly into the encrypted virtual file system (VFS) and attempts to directly modify the MBR:

  • bckfg.tmp
  • cfg.ini
  • cmd.dll
  • cmd64.dll
  • drv32
  • drv64
  • ldr16
  • ldr32
  • ldr64


After a successful modification of the MBR, Trojan:Win32/Alureon!gen.AD attempts to force a reboot of the computer in order to load the malware components from the VFS. In cases when the trojan cannot perform system changes that require an elevated privilege, Trojan:Win32/Alureon.gen!AD drops a copy of itself as the following:

  • %TEMP%\setup<process id>.exe
  • %TEMP%\setup<process id>.manifest


Trojan:Win32/Alureon.gen!AD attempts to write the following information to the "config.ini" or "cfg.ini" files inside the created VFS to uniquely identify the malware when communicating with a command and control server, also specified in the configuration file:

[main]
aid=<affiliate id>
sid=0
builddate=351
installdate=<DATE> <TIME>
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://WEBSITE1<DOT>com/;https://WEBSITE2<DOT>com/;https://WEBSITE3<DOT>com/;https://WEBSITE4<DOT>com/;https://WEBSITE5<DOT>com/
wsrv=http://WEBSITE1<DOT>com/;http://WEBSITE2<DOT>com/;http://WEBSITE3<DOT>com/;http://WEBSITE4<DOT>com/;http://WEBSITE5<DOT>com/
psrv=http://WEBSITE<DOT>com/



Payload

Deletes the Hosts file
Trojan:Win32/Alureon.gen!AD attempts to delete the Windows Hosts file which could result in preventing the computer from reaching network destinations or accessing local resources.

Contacts remote hosts
Trojan:Win32/Alureon.gen!AD attempts to communicate with several servers and download additional files. Some of the servers include the following:

  • 95.143.193.138
  • misratalium<DOT>in/?ini=
  • cbchance<DOT>com/pxxko
  • gnarenyawr<DOT>com
  • rinderwayr<DOT>com
  • jukdoout0<DOT>com
  • swltcho0<DOT>com
  • ranmjyuke<DOT>com
  • crj71ki813ck<DOT>com


The trojan also gathers information about the computer including the Windows version and build and the current date and time. Collected information is also sent to a remote server.

Redirects access to certain websites
Trojan:Win32/Alureon.gen!AD is capable of redirecting access requests for certain websites, which can include online financial institutions, to a destination specified by an attacker. In the wild, the following list of websites were being targeted by the trojan for redirection to other sites:

  • search.aol.com
  • search.icq.com
  • live.com
  • search.yahoo.*
  • www.google.*
  • www.bing.com
  • www.ask.com




Analysis by Zarestel Ferrer

Last update 17 April 2012

 

TOP