Home / malware Trojan:Win32/Alureon.BJ
First posted on 11 May 2009.
Source: SecurityHomeAliases :
Trojan:Win32/Alureon.BJ is also known as Also Known As:Win-Trojan/Zpack.18432.I (AhnLab), Trojan.Win32.Tdss.aalg (Kaspersky), W32/DNSChanger.EGBI (Norman), DNSChanger!d (McAfee), Trojan.Vundo (Symantec).
Explanation :
Trojan:Win32/Alureon.BJ is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer. Trojan:Win32/Alureon.BJ is a DLL component of Win32/Alureon. It intercepts HTTP-related system APIs to direct an affected user's search text to a particular server. It also downloads and executes arbitrary files from a remote server.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
Trojan:Win32/Alureon.BJ is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer. Trojan:Win32/Alureon.BJ is a DLL component of Win32/Alureon. It intercepts HTTP-related system APIs to direct an affected user's search text to a particular server. It also downloads and executes arbitrary files from a remote server.
Installation
Trojan:Win32/Alureon.BJ may be dropped and installed by other components of the Win32/Alureon family. It may be loaded into processes automatically; one way it has been observed to accomplish this is to modify the following registry entry:
Sets value: "appinit_dlls"
With data: "<path to Trojan:Win32/Alureon.BJ DLL>"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows
Payload
Redirects Search Results/Subverts Web InteractionTrojan:Win32/Alureon.BJ is only functional when loaded by the iexplore.exe process. It hides itself from the loaded DLLs' list in memory.
Trojan:Win32/Alureon.BJ intercepts various HTTP-related system APIs provided by WININET.DLL to embed a script into the search result page of the following search engines:
www.google.*
*.search.yahoo.com
search.yahoo.com
search.live.com
search.msn.com
www.altavista.com
www.alltheweb.com
*search.aol.com
*search.netscape.com
www.ask.com
www.search.com
*search.lycos.*
www.beedly.us
beedly.us
yandex.ru
nova.rambler.ru
sm.aport.ru
www.gogo.ru
gogo.ru
www.meta.ua
www.au.ru
www.nigma.ru
nigma.ru
www.all.by
www.uaport.net
uaport.net
www.search.ua
search.ua
www.poisk.ru
poisk.ru The embedded script directs the affected user's search text along with search engine name to servers on the following hosts:directitfast.com onseneka.net onseneka.com Downloads and Executes Arbitrary FilesTrojan:Win32/Alureon.BJ may download additional files from a remote server to the local affected machine and execute them. Trojan:Win32/Alureon.BJ was observed contacting 78.26.144.210 for this purpose.
Analysis by Shawn WangLast update 11 May 2009
