Home / malware Trojan:DOS/Alureon.F
First posted on 06 March 2012.
Source: MicrosoftAliases :
Trojan:DOS/Alureon.F is also known as Alureon (Command), BOO/TDss.O (Avira), Trojan.Tdlbkfs.2 (Dr.Web), Trojan.DOS.Alureon (Ikarus), TDSS!mbr (McAfee), Troj/TdlMbr-D (Sophos).
Explanation :
Trojan:DOS/Alureon.F is a Master Boot Records (MBR) infected by certain variants of the Win32/Alureon rootkit family. The rootkit can infect both 32-bit and 64-bit systems.
Top
Trojan:DOS/Alureon.F is a Master Boot Records (MBR) infected by certain variants of the Win32/Alureon rootkit family. The rootkit can infect both 32-bit and 64-bit systems.
Installation
MBRs detected as Trojan:DOS/Alureon.F are usually infected by Trojan:Win32/Alureon.FE.
Payload
Installs other malware components
When executed, Trojan:DOS/Alureon.F attempts to access the virtual file system (VFS) at the end of physical disk to locate the file 'boot' in the VFS root folder. It then loads 'boot' and transfers control to it.
The file 'boot' prevents Windows from checking digital signatures for drivers, installs itself as a handler for read/write requests from the hard disk, and loads the original MBR, which is stored as 'mbr' in the root VFS folder. It then transfers control to the original MBR.
Each time Windows reads from the hard drive, the file 'boot' intercepts data and monitors if the system debugger component 'KDCOM.DLL' is loaded into memory. If so, 'boot' injects another rootkit component from the VFS root folder named either 'dbg32' or 'dbg64', depending on the computer's architecture, thus forcing Windows to load it instead of the legitimate 'KDCOM.DLL' file.
The loaded rootkit component loads the main rootkit driver, which is responsible for hiding the Alureonrootkit components.
Additional information
Refer to the family description for Win32/Alureon for more information on this family.
Analysis by Wei Li
Last update 06 March 2012
