BKDR_ALUREON.APL

 Analysis by: kathleenno

 ALIASES:

Backdoor.Tidserv (Symantec); Trojan:Win32/Meredrop (Microsoft); Backdoor.Win32.TDSS.ewa (Kaspersky)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: Yes

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes registry entries, causing some applications and programs to not function properly.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

174,080 bytes

Memory Resident:

Yes

Initial Samples Received Date:

06 Apr 2011

Payload:

Modifies system registry, Compromises system security

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • %System%\spool\prtprocs\w32x86\{random filename}.dll
  • %Windows%\Temp\{random filename}.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops copies of itself into folders whose names contain the following strings:

  • %User Temp%\{random filename}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This backdoor modifies the following registry entries:

Kathleen Mae Notario: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
NameServer = 93.188.165.175,93.188.160.235

(Note: The default value data of the said registry entry is blank.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{network ID}}
NameServer = 93.188.165.175,93.188.160.235

(Note: The default value data of the said registry entry is blank.)

It deletes the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = {user-defined}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpDomain = {user-defined}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{network ID}
DhcpNameServer = {user-defined}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{network ID}
DhcpDefaultGateway = {user-defined}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{network ID}
DhcpDomain = {user-defined}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{network ID}
DhcpSubnetMaskOpt = {user-defined}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{network ID}\Parameters\
Tcpip
DhcpDefaultGateway = {user-defined}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{network ID}\Parameters\
Tcpip
DhcpSubnetMaskOpt = {user-defined}

Other Details

This backdoor deletes itself after execution.