We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Virus:Win32/Alureon.G
Aliases: W32/SYStroj.AB2.gen!Eldorado (Command) Win32/Patched.CH (AVG) TR/Patched.Gen (Avira) Win32/Olmarik!generic (CA) BackDoor.Tdss.2213 (Dr.Web) Win32/Olmarik.UI (ESET) Rootkit.Win32.TDSS.ai (Kaspersky) Patched-SYSFile.c (McAfee) Win32/Alureon.G (other) W32/TDSS.drv.gen7 (Norman) Adware/SystemGuard2009 (Panda) Win32.TDSS.a (Rising AV) Backdoor.Tidserv!inf (Symantec) PE_TDSS.MTR (Trend Micro)
Summary
- modifying affected user's search results (search hijacking)
- redirecting affected user's browsing to sites of the attacker's choice (browser hijacking)
- changing DNS settings in order to redirect users to sites of the attacker's choice without the affected user's knowledge
- downloading and executing arbitrary files, including additional components and other malware
- serving illegitimate advertising
- installing Rogue security software
- banner clicking
Restoring Corrupted Files
Restoring DNS Settings
- If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary. For information on configuring TCP/IP to use DNS in Windows XP, see http://support.microsoft.com/kb/305553
- If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:
%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak