Installation
Trojan:Win32/Alureon.GC copies itself to %ALLUSERPROFILE%\<random_file name>.exe.
It checks which version of Windows you are running and installs a specific version of itself.
Trojan:Win32/Alureon.GC creates the following registry entry to ensure that it runs each time you start your computer:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random_file name>"
With data: "%APPDATA%\<random_filename>.exe"
The trojan creates a mutex named "Global\<Machine_GUID><hardcoded_value><current_process_id>", to make detection more difficult. These values are uniquely identify your computer and will change from computer to computer. An example could be Global\{25892e17-80f6-415f-9c65-7395632f0223}gfdgfdgdfg4a4.
It attempts to inject its payload into the following files:
- Explorer.exe
- Firefox.exe
- Iexplore.exe
- Mozilla.
Payload
Downloads files
The trojan contacts a remote host specified in its configuration file.
We have seen it contact the following servers:
- grek.uni.me/bablo/dropper/data.php
- 151.248.114.105/<removed>/dropper/data.php
- 188.225.36.240/k1/d6154765172/<removed>.php
- 188.225.36.241/k1/d6154765172/<removed>.php
- 188.225.36.242/k1/d6154765172/<removed>.php
The configuration file may include the following instructions:
- Download and install files
- Download and install modules
- Update the trojan
- Inject itself into processes using different methods
- Send logs of its activity to a remote server
- Write to a configuration file
The downloaded configuration file is stored in %ALLUSERPROFILE%\<random_letters>.cfg. The file is encrypted using a version of the RC4 encryption algorithm and the key is generated using you computer's GUID to make it difficult to decrypt.
Additional information
The trojan configuration file has the following format:
<marker>
srvurls=<url that may retrieve another configuration file>
srvdelay=<digits>
srvretry=<digits>
buildid=<identifier>
fpicptr=<API>
<modules>
softwaregrabber=<random_characters>
modkiller=<random_characters>
bot32=<random_characters>
bot64=<random_characters>
Analysis by Daniel Chipiristeanu and Jonathan San Jose