Trojan:Win32/Alureon.TK

Trojan:Win32/Alureon.TK is a variant of the Win32/Alureon family that may attempt to embed HTML code into webpages visited by the the user or redirect the browser to certain websites.

Installation

Trojan:Win32/Alureon.TK may be dropped or downloaded by other components of the Win32/Alureon family, such as Trojan:Win64/Alureon.C. It arrives as a randomly-named DLL file in the "%systemroot%" folder.

It is injected into the following processes:

• iexplore.exe
• firefox.exe
• safari.exe
• chrome.exe

Trojan:Win32/Alureon.TK creates mutexes such as the following, depending on what the default browser is:

• Global\C3819288-93FA-4E29-A254-BD9476B53C20
• Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145
• Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9
• Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7
• Global\cc51461b-e32a-4883-8e97-e0706dc65415
• Global\56684A82-D074-4384-AEB9-D1A40041D9FB

It also stores information about itself in the file "cfg.ini". This file is kept hidden from normal access by Win32/Alureon's rootkit component. It can also check for and download an updated version of itself.

Payload

Monitors network access

Trojan:Win32/Alureon.TK may filter local and Internet traffic by intercepting Windows API calls from the following DLL files:

• dnsapi.dll
• mswsock.dll
• wininet.dll
• ws2_32.dll
• wsock32.dll

Trojan:Win32/Alureon.TK looks out for traffic containing the following keywords:

• .aol.
• .com.com
• .lycos.
• .search.com
• .tqn.com
• 2mdn.net
• 66.235.120.66
• 66.235.120.67
• abmr.net
• about.com
• adbureau.net
• adcertising.com
• adrevolver.com
• alexa.com
• alexametrics.com
• alltheinternet.com
• alltheweb.com
• altavista.com
• aolcdn.com
• ask.com
• atdmt.com
• atwola.com
• bing.
• blinkx.com
• compete.com
• conduit.com
• cuil.com
• dogpile.com
• doubleclick.net
• doubleverify.com
• edgesuite.net
• entireweb.com
• everesttech.net
• exalead.com
• excite.com
• fimservecdn.com
• firmserve.com
• flickr.com
• gigablast.com
• google
• gstatic.com
• infospace.com
• ivwbox.
• iwon.com
• live.com
• lygo.com
• mamma.com
• meedea.com
• metacrawler.com
• msn.com
• myspacecdn.com
• mytalkingbuddy.com
• oneriot.com
• openx.org
• othersonline.com
• picsearch.com
• powerset.net
• scorecardresearch.com
• searchvideo.com
• superpages.com
• tacoda.net
• tribalfusion.com
• truveo.com
• twimg.com
• virtualearth.net
• wazizu.com
• webcrawler.com
• worthathousandwords.com
• yahoo
• yieldmanager.com
• yimg.com
• ytimg.com

If any URLs containing these keywords are accessed, Trojan:Win32/Alureon.TK sends the URL back to a remote server.

Redirects webpages

Trojan:Win32/Alureon.TK intercepts searches from the following websites and may attempt to alter the search results:

• alltheinternet.com
• bing.com
• cuil.com
• entireweb.com
• gigablast.com
• google.com
• mytalkingbuddy.com
• search.conduit.com
• search.lycos.com
• search.toolbars.alexa.com
• search.yahoo.com
• searchservice.myspace.com
• www.mamma.com
• www.search.com

Trojan:Win32/Alureon.TK changes search results by monitoring the search queries and sending that information to a remote server that returns websites that the browser is redirected to.

Modifies Internet settings

Trojan:Win32/Alureon.TK modifies certain Internet settings by changing the following registry entries:

Sets the maximum number of redirects done by Internet Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "MaxHttpRedirects"
With data: "9999"

Enables HTTP 1.1 in Internet Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "EnableHttp1_1"
With data: "1"

Changes the way that Internet Explorer handles submitting non-encrypted form data and Active Scripting:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "CurrentLevel"
With data: "0"
Sets value: "1601"
With data: "0"
Sets value: "1400"
With data: "0"

Trojan:Win32/Alureon.TK also enables browser cookies.

Analysis by Mihai Calota