Home / malware Trojan:Win32/Alureon.gen!C
First posted on 24 April 2009.
Source: SecurityHomeAliases :
Trojan:Win32/Alureon.gen!C is also known as Also Known As:Trojan.Win32.DNSChanger.pt (Kaspersky), W32/DNSChanger.XOR (Norman), Trojan.DNSChanger.PW (BitDefender), Win32/TrojanDownloader.Zlob.BXN (ESET), Trojan.Flush.A (Symantec), TROJ_DNSCHANG.BA (Trend Micro).
Explanation :
Trojan:Win32/Alureon.gen!C is a component of Win32/Aureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
Trojan:Win32/Alureon.gen!C is a component of Win32/Aureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Installation
While installation details may differ according to minor variant, Trojan:Win32/Alureon.gen!C may copy itself to the <system folder> with a randomly generated file name and an .exe extension (for example, kdyrx.exe). It then modifies the registry to execute this file at each Windows start (for example):
Adds value: "System"
With data: <randomly generated file name>.exe
To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
Payload
Modifies DNS SettingsTrojan:Win32/Alureon.gen!C may modify DNS settings on the host computer to enable the attacker to perform malicious tasks. Trojan:Win32/Alureon.gen!C may gather information regarding the user's browsing experience, redirect/block visited websites or launch a man-in-the-middle attack and intercept network traffic. Trojan:Win32/Alureon.gen!C may alter stored DNS settings by modifying the registry, for example: To subkey: HKLMSYSTEMCurrentControlSetServicesTCPIPParametersInterfaces{CLSID value}
Adds value: "NameServer"
With data: "85.255.???.???,85.255.???.???"
Adds value: "DhcpNameServer"
With data: "85.255.???.??? 85.255.???.???" Downloads and Executes Arbitrary FilesWin32/Alureon may also utilize a dll component to download and execute arbitrary files, including additional Alureon components. Downloaded files are generally saved to the %temp% directory before being executed.
Analysis by Francis Allan Tan SengLast update 24 April 2009