Home / malware Trojan:WinNT/Alureon.D
First posted on 16 April 2009.
Source: SecurityHomeAliases :
Trojan:WinNT/Alureon.D is also known as Also Known As:W32/Tibs.gen240 (Norman), Troj/Rootkit-ED (Sophos), Backdoor.Tidserv (Symantec), Trojan:Win32/Tibs.HS (other).
Explanation :
Trojan:WinNT/Alureon.D is detection for an obfuscated kernel-mode root kit component of the Win32/Alureon family. Win32/Alureon is a family of data-stealing trojans that allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords and credit card data.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Trojan:WinNT/Alureon.D is detection for an obfuscated kernel-mode root kit component of the Win32/Alureon family. Win32/Alureon is a family of data-stealing trojans that allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords and credit card data.
Installation
Trojan:WinNT/Alureon.D may be installed by other malware. This trojan may be present by such filenames as the following: %systemroot%system32driversUACD.sys%systemroot%system32driversUAC<random letters>.sys%systemroot%system32driversTDSS.sys%systemroot%system32driversTDSSserv.sys%systemroot%system32driversTDSS<random 4 letters>.sys The registry is modified to execute the trojan as a service at Windows start. The following are examples of subkeys created: HKLMSystemCurrentControlSetEnumRootLegacy_UACD.sysHKLMSystemCurrentControlSetEnumRootLegacy_UACD.sys�000
HKLMSystemCurrentControlSetEnumRootLegacy_UACD.sys�000Control
Payload
Provided StealthWhen active, this trojan may hide its related files and associated malware from being viewed in Windows Explorer.Additional InformationFor more information about Win32/Alureon and WinNT/Alureon, see our descriptions elsewhere in the encyclopedia.
Analysis by Dan KurcLast update 16 April 2009
