Home / malware Trojan:Win32/Alureon.DX
First posted on 20 April 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Alureon.DX.
Explanation :
Trojan:Win32/Alureon.DX is a rootkit that differs in behavior depending on whether the operating system is 32-bits or 64-bits. Trojan:Win32/Alureon.DX is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer. On a 32-bit-based operating system: Trojan:Win32/Alureon.DX copies itself to the %Temp% directory \?globalrootDeviceHarddiskVolume1directorysourcefile.exe, as, for example %temp% mpfile1.tmp . It then converts its copy into a DLL file, for example, %temp% mpfile1.tmp is converted to %temp% mpfile2.tmp . It attempts to install the DLL file as a print provider. Trojan:Win32/Alureon.DX may attempt to manually start the "spooler" service. If it fails, it tries a second time. The DLL file drops a driver to the disk, for example %temp% mpfile3.tmp. The dropped driver is detected as Trojan:WinNT/Alureon.L. Trojan:Win32/Alureon.DX makes the following registry modifications for the dropped driver, before attempting to load the driver: Adds value: "Imagepath" With data: "??\%temp%
.tmp" In subkey: HKLM SystemCurrentControlSetServices Adds value: "Type" With data: "1" In subkey: HKLM SystemCurrentControlSetServices Where is a string of randomly generated characters. These modifications are then deleted. Trojan:Win32/Alureon.DX generates a unique GUID by retrieving data from the following registry key value:
egistrymachinesoftwaremicrosoftcryptographymachineguid Trojan:Win32/Alureon.DX copies the following files to an encrypted virtual file system (VFS): bckfg.tmp cfg.ini cmd.dll cmd64.dll drv32 drv64 ldr16 ldr32 ldr64 The dropped driver is responsible for loading these files from the encrypted VFS. It is also responsible for modifying the Master Boot Record (MBR). The modified MBR is detected as Trojan:DOS/Alureon.A On a 64-bit-based operating system: Trojan:Win32/Alureon.DX writes directly into the encrypted virtual file system (VFS). It also attempts to directly modify the Master Boot Record (MBR). After attempting these modifications, it attempts to force a reboot of the computer. Additional information Contacts remote servers Trojan:Win32/Alureon.DX attempts to contact the following servers: 34jh7alm94.asia 61.61.20.132 61.61.20.135 68b6b6b6.com 91jjak4555j.com a74232357.cn a76956922.cn cri71ki813ck.com lk01ha71gg1.cc nyewrika.in rukkieanno.in zl091kha644.com Analysis by Scott MolenkampLast update 20 April 2019