Home / malwarePDF  

Trojan:Win32/Alureon.FK


First posted on 07 February 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Alureon.FK is also known as W32/Troj_Generic.ETBF (Norman), Trojan horse Generic26.BEIM (AVG), BackDoor.Tdss.6992 (Dr.Web), Win32/Olmarik.AXW trojan (ESET), Trojan-Spy.Win32.Zbot (Ikarus), Trojan-Dropper.Win32.Pihar.nw (Kaspersky), Backdoor.Pihar (Symantec), TROJ_SPNR.27A012 (Trend Micro).

Explanation :

Trojan:Win32/Alureon.FK is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer.

The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.

Restoring DNS Settings

The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.

Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:

  • If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see http://support.microsoft.com/kb/305553
  • If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:

    %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak

Top

Trojan:Win32/Alureon.FK is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.



Installation

Trojan:Win32/Alureon.FK drops a copy of itself in the %Temp% folder with the following file name format:

  • c:\documents and settings\administrator\local settings\temp\<randomly generated character>.tmp
  • c:\documents and settings\administrator\local settings\temp:winupd.exe


The malware modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "winupd"
With data: "c:\documents and settings\administrator\local settings\temp:winupd.exe"

Trojan:Win32/Alureon.FK may drop a malicious driver, detected as Trojan:WinNT/Alureon.AA, in the affected computer under the %windir%\temp folder, for example:

%windir%\temp\8.tmp - detected as Trojan:WinNT/Alureon.AA

It makes the following registry modifications for the dropped driver, to register it as a service before attempting to load it:

In subkey: HKLM\system\currentcontrolset\services\<service name>
Sets value: "imagepath"
With data: "%windir%\temp\8.tmp"

Where <service name> is a string of randomly generated characters, for example: d7607600

Trojan:Win32/Alureon.FK attempts to inject the driver, detected as Trojan:WinNT/Alureon.AA, into the "spooler" service. The service can then be manually restarted so that its dropped driver also runs.



Payload

Contacts remote hosts

Trojan:Win32/Alureon.FK may contact a remote host at citycenter22.com via TCPport 80. Commonly, malware may contact a remote host for the following purposes:

  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer




Analysis by Wei Li

Last update 07 February 2012

 

TOP