Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Alureon.CG
Detected by Microsoft Defender Antivirus
Aliases: Win32/Alureon.AEJ (CA) Win32/Almark.JU (ESET) Trojan.Win32.Agent.crez (Kaspersky) DNSChanger.t (McAfee) DNSChanger.FFCM (Norman) Trj/Alureon.AW (Panda) Mal/TDSS-F (Sophos) Backdoor.Tidserv (Symantec) Trojan.DNSChanger.Gen!Pac.16 (VirusBuster)
Summary
Trojan:Win32/Alureon.CG is a trojan that monitors user Web usage and may send captured data to a remote server.
For more information refer to the description for the Win32/Alureon family.
The Win32/Alureon trojan may enable an attacker to transmit malicious data to the infected computer. Recovering from this situation may require measures beyond removing the trojan itself from the computer. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Restoring Corrupted Files
In some instances, Alureon may modify certain driver files such that they become corrupted and unusable. These corrupted files that will NOT be restored by detecting and removing this threat. In order to restore functionality to the computer, the corrupted file must be restored from backup. Users are advised to boot into a recovery environment and manually replace the file with a clean copy.
Restoring DNS Settings
The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
-
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see http://support.microsoft.com/kb/305553
-
If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:
%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak
Other recovery steps
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s:
- Stopping and starting Windows services: http://technet.microsoft.com/en-us/library/cc736564.aspx
- Enable the following Windows service: wscsvc
- Enabling Windows Security Center alerts:
- For Windows Vista: http://windowshelp.microsoft.com/Windows/en-US/Help/c5e78ee2-b00a-444d-8c57-e29bda8768a81033.mspx
- For Windows XP: http://support.microsoft.com/kb/889737
- For other support and help related articles, go to:
- Windows Vista: http://support.microsoft.com/ph/11732#tab0
- Windows XP: http://support.microsoft.com/ph/1173#tab0
- Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx
Follow us
