Home / malware Trojan:Win32/Alureon.FL
First posted on 27 February 2012.
Source: MicrosoftAliases :
Trojan:Win32/Alureon.FL is also known as TR/Alureon.FL.213 (Avira), BackDoor.Tdss.6738 (Dr.Web), Trojan.Win32.Alureon (Ikarus), TROJ_ALUREON.CWO (Trend Micro).
Explanation :
Trojan:Win32/Alureon.FL is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Top
Trojan:Win32/Alureon.FL is a component of Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Installation
When executed, Trojan:Win32/Alureon.FL creates a mutex with the following format:
Global\<8 random characters>-<4 random characters>-<4 random characters>-<4 random characters>-<12 random characters>-M
For example, Global\544cea19-ed69-4c8b-ad11-fb7c171b20ba-M.
Trojan:Win32/Alureon.FL drops a copy of itself in the %Temp% folder with the following file name format:
- %Temp%\<randomly generated character>.tmp, for example, 7.tmp
- %Temp%\<malware name>
In the wild, we have seen Win32/Alureon use the following as <malware name>:
- wuauclt.exe
- googleupdate.exe
Note that a legitimate Windows file named wuauclt.exe exists by default in the Windows system folder.
Payload
Installs other malware
When run, this trojan may install other components that are detected as variants of Win32/Alureon, including Trojan:Win32/Alureon.FE and Trojan:Win32/Alureon.gen!AE.
Connects to a remote server
Trojan:Win32/Alureon.FL communicates with a remote server to report its presence in the affected computer, and to retrieve commands.
Analysis by Wei Li
Last update 27 February 2012