Threat behavior
An installation of Win32/Alemod includes an installation program (a Trojan dropper) and three files that the dropper installs: a dynamic-link library (DLL), a program that displays a Web-shortcut icon in the taskbar notification area, and a partial-uninstaller program.
The Trojan dropper performs numerous tasks. It accesses a certain Web site to notify the author of the version of Windows that has been infected. It creates registry key HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} and saves several values in that key, including the time of installation.
The dropper installs an HTML file in the Windows folder or the system folder, enables Active Desktop, and sets the desktop wallpaper to the contents of the HTML file. The HTML file typically contains text saying the computer is infected with spyware and includes a hypertext link to a Web site that purportedly removes the spyware. Clicking the link opens a browser window to a Web site that can deliver spyware. The installation program also modifies the registry to prevent the user from using the Display program in Control Panel to change the desktop display.
The dropper installs a dynamic-link library file that works with Win32/Nsag to capture outbound user Web traffic and send the captured user data to specified Web sites. The installer drops another program and sets the registry so that this program runs every time Windows starts. This program displays an exclamation-point icon in the taskbar notification area. When the mouse pointer hovers over the icon, the message "Your computer is infected!" appears. When the user double-clicks the icon, a browser window opens to a spware-related Web site.
The Trojan dropper also drops a partial-uninstaller program in the Windows folder and adds an entry for it in “Add or Remove Programs” in Control Panel. The entry may appear as “Desktop Uninstall” or “Internet Update”. When the partial uninstaller runs, it undoes only some of the changes that Win32/Alemod causes on the infected computer.
After Win32/Alemod has been on the computer for 72 hours or more, the Win32/Alemod DLL places two Web shortcuts on the user's desktop. The shortcuts may be named “Download Music” and “Download Movies” and may link to Web pages that can infect the computer with other malicious software or spyware.
Win32/Alemod may also try to download and run programs from certain Web sites related to malicious software or spyware. The installation program for some variants of Win32/Alemod does not run if the system time is after a certain date.
Prevention
