COMPUTER " TROJAN:Win32/Alureon.A"; or, The ROOTKIT MALWARE You Don't Even Know You Have.

http://www.microsoft.com/security ^ | Updated: Dec 16, 2009 | Microsoft

[Yosemitest]

Summary

Trojan:Win32/Alureon.A is a data-stealing trojan. This trojan allows an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. Trojan:Win32/Alureon.A may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after Trojan:Win32/Alureon.A is removed from the computer.

Microsoft MalWare Protection Center has more info.

[wireplay]

There is a version of Visual Studio that is free. I know of no license restrictions on software from it and I cannot imagine how it could even be enforced. I can code in notepad and in VS and they compile the same.

[ssaftler]

Bump for later dissection at home. Cool genealogy lesson on XP.

[wireplay]

Of course, as a developer, I can have a button that says Cancel that actually is an Ok button. Nothing can stop me from being malicious and redirecting you and there is no prevention.

[antiRepublicrat]

Yeah get a mac and get an OS from the 70s

Windows NT is based on VMS, from the 70s, the API having its origins in 16-bit Windows from the 80s. OS X is based on FreeBSD from the 90s, which is based on 386BSD from the 90s, based on BSD, and then UNIX from the 70s. But that's on one lineage for the user space, file system and network. The kernel is MIT Mach from the 80s, and the API and other technologies are from NeXT in the 80s.

[antiRepublicrat]

It’s all coincidence.

[antiRepublicrat]

On a previous visit to the MIL I put on anti-spyware and anti-virus. On the most recent visit I spent most of my Easter day getting two trojans and other assorted nasties off her machine.

It would be easier jut to get her a Mac.

[Yosemitest]

Read Malware Protection Center Technical Information (Analysis):

A second Trojan:Win32/Alureon.
A component may perform the following operations:
Create a randomly named copy of itself under the Windows system folder.
Note: By default, on Windows 95/98/ME the location of the Windows system folder is C:\Windows\System.
On Windows NT/2000, the default location is C:\Winnt\System32.
On Windows XP/Server 2003/Vista, the default location is C:\Windows\System32.
Inject threads into local processes to delete itself and perform other tasks.
Create registry entries under HKEY_CLASSES_ROOT.
Create registry subkeys such as: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

I don't know about it attacking Windows 7, so you'll have to research that question.

[Yosemitest]

"Spyware Terminator detected it,
and it's attempt to remove it wasn't successful."

I'd get either Spyware Terminator or Microsoft Security Essentials.

But let me warn you, Microsoft Security Essentials does NOT play well with others.
It wants to be the ONLY anti-virus HIPS firewall you have.
You can use it, IF you turn off ALL OTHER virus detectors you have.
After you download it, and use it,
I recommend you turn off its HIPS firewall, and turn on your other HIPS protection.

[Yosemitest]

"CCleaner ... Do you have any idea what 'checkbox' I should uncheck?"

Open CCleaner.

Go to "Options" on the left side.
Click on Advanced.
UNCHECK the top box "Only delete files in Windows Temp older than 24 hours"
Go to the left side and click Cleaner.

Then click Run Cleaner on the lower right side.

[Yosemitest]

Thank you for noticing.

[Yosemitest]

Take a look at Windows XP Cleaning Procedure.

[LucyJo]

bookmark

[Yosemitest]

I probably got the malware by

"searching for old parts for antique vehicles, or tools".

If you really want to know,

I'm running a ten year old Toshiba laptop
that can't take updates past Windows XP SP2, due to motherboard components.

[martin_fierro]

Ditto that, nor my Macs.

[Yosemitest]

"Can’t I just look for a certain file rather than downloading a scanner?"

I don't think so.

(From Technical Information (Analysis))

A third Trojan:Win32/Alureon.A component may perform the following operations:
Gather URLs from the user's Web-browsing history.
Create a new registry value in subkey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
and place random data in that value.

Create a randomly named copy of itself under the Windows system folder

Modify the registry to cause the trojan copy to run automatically each time a user logs on:

Adds value: < name of trojan copy>
With data: < path to trojan copy>
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the following registry entries under subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run:

The registry value whose name matches the name of the trojan file that is currently running.

The registry subkey whose name matches the name of the trojan file that is currently running.

Run Internet Explorer or the default Web browser and inject code into the corresponding new process. The injected code may take various actions, including changing DNS server settings on the host computer and downloading and running files from certain Web sites.

Run a new instance of explorer.exe and inject code into the corresponding new process. The injected code may take various actions, including deleting the Trojan:Win32/Alureon.A file that is running.


Some Trojan:Win32/Alureon.A components may disable or clear the existing Internet Explorer proxy settings.

In short, the malware rewrites one of your files, disguising itself, so that you can't see it, just by file name.

[Yosemitest]

Firefox ...

Take a read (all seven pages) of

Browser Battle: Nine Browsers of Today and Tomorrow Compared

and then take a look at Opera 10.51 Web Browser for Windows

[shorty_harris]

My gosh! I just bought a Dell Mini 10, with windows 7 starter (my first windows purchase since win2k). If it ever gets to that point, I think I’d just take it out back and shoot it, and go buy another one.

[Yosemitest]

P.S. They do have other versions of Opera for Mac/Linux.

[driftdiver]

hogwash, the genesis of the mac OS is from the 60s, just as the windows 7 OS had it infancy during the same period.

[antiRepublicrat]

hogwash, the genesis of the mac OS is from the 60s, just as the windows 7 OS had it infancy during the same period.

The genesis of a part of OS X is from the UNIX of the 70s, unless you want to count Multics from the 60s. VMS, the Windows 7 genesis, was developed in the 70s for the DEC VAX computer. I don't know that VMS is based on anything earlier.