Home / malwarePDF  

Trojan:Win32/Alureon.FL


First posted on 27 February 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Alureon.FL is also known as TR/Alureon.FL.213 (Avira), BackDoor.Tdss.6738 (Dr.Web), Trojan.Win32.Alureon (Ikarus), TROJ_ALUREON.CWO (Trend Micro).

Explanation :

Trojan:Win32/Alureon.FL is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.


Top

Trojan:Win32/Alureon.FL is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.



Installation

When executed, Trojan:Win32/Alureon.FL creates a mutex with the following format:

Global\<8 random characters>-<4 random characters>-<4 random characters>-<4 random characters>-<12 random characters>-M

For example, Global\544cea19-ed69-4c8b-ad11-fb7c171b20ba-M.

Trojan:Win32/Alureon.FL drops a copy of itself in the %Temp% folder with the following file name format:

  • %Temp%\<randomly generated character>.tmp, for example, 7.tmp
  • %Temp%\<malware name>


In the wild, we have seen Win32/Alureon use the following as <malware name>:

  • wuauclt.exe
  • googleupdate.exe


Note that a legitimate Windows file named wuauclt.exe exists by default in the Windows system folder.



Payload

Installs other malware

When run, this trojan may install other components that are detected as variants of Win32/Alureon, including Trojan:Win32/Alureon.FE and Trojan:Win32/Alureon.gen!AE.

Connects to a remote server

Trojan:Win32/Alureon.FL communicates with a remote server to report its presence in the affected computer, and to retrieve commands.



Analysis by Wei Li

Last update 27 February 2012

 

TOP

Malware :

Family: