Win32/Alureon

Installation and payload

Changes DNS server settings

Win32/Alureon contains different malicious components. The following are three examples of these components:

One component specifies the DNS servers used by your PC. To do so, this component sets DNS server addresses for each network adapter on your PC by changing values in certain registry subkeys associated with the adapters.

For example, the component might change these registry values:

In subkey: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Value: "DhcpNameServer"

In subkeys of the key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Values:
"NameServer"
"DhcpNameServer"

This component can also set the following fields to specific DNS servers in the stored dial-up configuration data:

• IpDnsAddress
• IpDns2Address

It resets these fields if your PC already has data in these fields. The dial-up configuration file is located in:

• %ALLUSERPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk

To let these new DNS settings immediate effect, Alureon runs the following commands:

ipconfig.exe /flushdns
ipconfig.exe /registerdns
ipconfig.exe /dnsflush
ipconfig.exe /renew
ipconfig.exe /renew_all

A second Alureon component does the following:

• Create a randomly named copy of itself in the <system folder>
• Inject threads into local processes to delete itself and do other tasks
• Create registry entries under the key HKCR
• Create registry subkeys such as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

A third Alureon component does the following:

• Gather URLs from your browser history
• Create a new registry value in the subkey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion and place random data in it
• Create a randomly named copy of itself under the <system folder>
• Add this entry to the registry so that the trojan copy runs automatically each time Windowsstarts:

  In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Sets value: "<name of trojan copy>"
  With data: "<path to trojan copy>"

• Delete the following registry entries under the subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
  • The registry value whose name matches the name of the trojan file that is currently running.
  • The registry subkey whose name matches the name of the trojan file that is currently running.
• Run the default web browser and inject code into this new browser process; the injected code might change DNS server settings on your PC and download and run files from certain websites
• Run a new instance of explorer.exe and inject code into this new process; the injected code might delete the copy of this trojan that's currently running, to avoid detection by your security software

Corrupts drivers

Some variants of Alureon can infect the miniport driver associated with the hard disk of the operating system, causing the driver file to become corrupted and unusable. For the most common PC configuration (PCs using ATA hard disk drives) the ATA miniport driver atapi.sys is the target driver file. However, other files can also be targeted.

The most commonly-targeted driver files are:

• atapi.sys
• iastor.sys
• iastorv.sys
• idechndr.sys
• nvata.sys
• nvatabus.sys
• nvgts.sys
• nvstor.sys
• nvstor32.sys
• sisraid.sys

Disables proxy settings

Some Alureon components can disable or clear existing Internet Explorer proxy settings.