Home / malwarePDF  

Trojan:Win32/Alureon.DC


First posted on 15 December 2009.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Alureon.DC.

Explanation :

Trojan:Win32/Alureon.DC is a member of Win32/Alureon - a multi-component family of trojans involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. In the wild, Trojan:Win32/Alureon.DC is used to download and install other malware, such as Trojan:Win32/FakeCog.
Top

Trojan:Win32/Alureon.DC is a member of Win32/Alureon - a multi-component family of trojans involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:

  • modifying the affected user's search results (search hijacking)
  • redirecting the affected user's browsing to sites of the attacker's choice (browser hijacking)
  • hanging DNS settings to redirect users to sites of the attacker's choice without the affected user's knowledge
  • downloading and executing arbitrary files, including additional components and other malware
  • serving illegitimate advertising
  • installing rogue security software
  • banner clicking

    • Win32/Alureon also uses advanced stealth techniques to hinder the detection and removal of its various components.

    Some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer. Trojan:Win32/Alureon.DC is used to download and install other malware. InstallationWhen executed, Trojan:Win32/Alureon.DC modifies the following registry entry: Adds value: "affid"
    With data: "<affid>"
    Adds value: "subid"
    With data: "<subid>"
    To subkey: HKLM\SOFTWARE\Mozilla where <affid> and <subid> are variable strings specified by the malware, for example, Adds value: "affid"
    With data: "216"
    Adds value: "subid"
    With data: "new"
    To subkey: HKLM\SOFTWARE\Mozilla After performing its malicious routine, the trojan is moved to the Windows Temporary Files folder and then deleted at the next Windows restart. Payload Downloads other malwareIn the wild, Trojan:Win32/Alureon.DC has been observed to contact the following domains to download files:
  • graphwebgo.cn
  • weeklytop.cn
    • The downloaded file is saved to the Windows Temporary Files folder with a random name, and then executed. At the time of writing, the downloaded file is detected as Trojan:Win32/FakeCog. Trojan:Win32/Alureon.DC checks if the affected system is 32-bit or 64-bit, and, depending on the system, downloads a compatible version from a remote host.

    Analysis by Chun Feng

    Last update 15 December 2009

     

    TOP

    Malware :

    Family: