WinNT/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The WinNT/Alureon trojan can also allow an attacker to transmit malicious data to your PC. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after WinNT/Alureon is removed.
Instances of Win32/Alureon migh contain various malicious components. The following are three examples of Win32/Alureon components:
One component of the Win32/Alureon family specifies the DNS servers to be used by the host PC. To do so, this component sets DNS server addresses for each network adapter on the host PC by modifying values in certain registry subkeys associated with the adapters. For example, the trojan component might:
-
Modify registry value: "DhcpNameServer"
under subkey: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
-
Modify registry values:
"NameServer"
"DhcpNameServer"
under certain subkeys of the subkey:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
The same component may also set the fields "IpDnsAddress" and "IpDns2Address" to specific DNS servers in the Windows dial-up configuration file that is for the All Users profile. The trojan sets these fields if the configuration file already contains data. The dial-up configuration file location for the All Users Profile for Windows XP, Server 2003, and Vista is:
To allow these new DNS settings to take immediate effect, the Win32/Alureon trojan runs the following commands:
Another Win32/Alureon component can perform the following operations:
-
-
Inject threads into local processes to delete itself and perform other tasks.
-
Create registry entries under the key HKCR.
-
Create registry subkeys such as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins.
A third Win32/Alureon component might perform the following operations:
-
Gather URLs from your web-browsing history.
-
Create a new registry value in subkey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
and place random data in that value.
-
Create a randomly named copy of itself under the Windows system folder
-
Modify the registry to cause the trojan copy to run automatically each time Windows starts:
Adds value: <name of trojan copy>
With data: <path to trojan copy>
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-
Delete the following registry entries under subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
-
Run Internet Explorer or the default Web browser and inject code into the corresponding new process. The injected code may take various actions, including changing DNS server settings on the host computer and downloading and running files from certain websites.
-
Run a new instance of explorer.exe and inject code into the corresponding new process. The injected code might take various actions, including deleting the Win32/Alureon file that is running.
Recent variants of Win32/Alureon might be capable of infecting the miniport driver associated with the hard disk of the operating system, causing the driver file to become corrupted and unusable. For the most common system configuration, that is, for computers using ATA hard disk drives, the ATA miniport driver atapi.sys is the target driver file. However, other files may also be targeted.
The top ten most commonly-targeted driver files are:
-
atapi.sys
-
iastor.sys
-
iastorv.sys
-
idechndr.sys
-
nvata.sys
-
nvatabus.sys
-
nvgts.sys
-
nvstor.sys
-
nvstor32.sys
-
sisraid.sys
Some Win32/Alureon components can disable or clear the existing Internet Explorer proxy settings.
