Alureon

Alureon Description

Alureon is one of the most dangerous malware infections. The Alureon Trojan and rootkit can search a computer system's network traffic and extract account information, passwords, online banking data and credit card information. The Alureon Trojan is responsible for several well-publicized attacks on computer systems using Windows operating systems. Microsoft has released several patches for their operating system, in order to undo some of the effects of this dangerous malware invader. According to PC security researchers, as of 2010, Alureon was responsible for the second-largest botnet and a host of spam email and DDoS attacks.

A Timeline of the Alureon Rootkit


According to PC security researchers, the first infections of the Alureon rootkit were first detected in 2006. Most computer systems become infected with the Alureon malware threat after downloading and installing a Trojan included with rogue security programs. Clones of Security Essentials 2010, a fairly typical fake security application, have been known to infect a computer system with Alureon. Once this Trojan enters a computer system, Alureon takes over the spoolsv.exe Windows service and injects a malicious code into the infected computer. It can then corrupt system drivers, such as atapi.sys, in order to carry out its rootkit implementation. Once the computer system is infected with the Alureon Trojan and rootkit, this malware threat will often cause browser redirects and lead its victims to malicious fake search engine websites. The Alureon rootkit has also been known to block automatic Windows updates and to prevent its victim from launching known anti-malware applications.

Detecting and Removing Alureon


The Alureon Trojan and rootkit caught the attention of PC security researchers, when Alureon was responsible for extensive crashes on Windows systems after the security update MS10-015. Since then, Microsoft has altered their update to prevent its installation, in case of an Alureon infection. However, the criminals behind this malware threat have also fixed this bug. As of 2010, malware analysts have reported that Alureon can now bypass the kernel-mode driver signing the requirement that is characteristic of the Windows 7 operating system. This makes Alureon particularly difficult to remove through normal means. The Alureon rootkit can remain undetected indefinitely. However, examining the infected computer's network traffic can show its presence. A specialized rootkit-removal tool may be necessary, before a legitimate anti-malware program is able to find and remove the Alureon infection.
Aliases: Win32:Kryptik-LJL [Trj] [Avast], Artemis!B0DD981293FF [McAfee], Trojan.Agent.ED [Malwarebytes], WS.Reputation.1 [Symantec], Troj_Generic.JXOLZ [Norman], TROJ_GEN.RCBCDDA [TrendMicro-HouseCall], W32/Daws.BOLW!tr [Fortinet], Trojan-Dropper.Win32.Daws.bolw [Kaspersky], Gen:Variant.Symmi.17638 [BitDefender], TR/Symmi.17638.8 [AntiVir], Trojan.WinNT.Alureon [Ikarus], a variant of Win32/Kryptik.AYKH [ESET-NOD32], Trojan:WinNT/Alureon [Microsoft], Win32.Troj.Daws.bo.(kcloud) [Kingsoft] and Gen:Variant.Symmi.17638 (B) [Emsisoft].

Infected with Alureon? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect Alureon

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of Alureon outbreaks and other threats from global to local level.

File System Details

Alureon creates the following file(s):
# File Name Size MD5 Detection Count
1 00195d36.exe 40,448 fb42eeab698100873bf979d5ba0f0661 74
2 richtx64.exe 671,744 68ba7355d861d924f721720d4b64bb06 66
3 %SystemDrive%\Users\matthew\AppData\Local\Temp\0.20486604276581433 131,584 27939705590a4974edb156ea339dca85 62
4 kernel64xp.dll 298,496 c1f8d3c96f8ce34de36e1ef9ccc1d5ca 46
5 geyekrxnrwowrd.dll 20,480 39fbb470fe4ccf16e050765b15d1729a 45
6 mfo.exe 184,324 dce3dc305736a27ab33cb13b4f49b21a 35
7 dmgmi.exe 47,104 dc3db45bc4a374558ef68a81b778ed27 34
8 %TEMP%\thpm5973560001937761939.tmp 103,424 d458c6eb75444101d6d27c8eca66d3f8 25
9 %WINDIR%\system32\config\systemprofile\AppData\Local\komitaw.dll 10,752 d823c950238ef9afa45cdc509f04a05c 24
10 senekaovrgoend.sys 67,584 c1cf34e2585abad18a912ee59535ebbf 24
11 \\.\globalroot\Device\HarddiskVolume3\Users\Jeff\AppData\Local\Temp\thpm7697982094124185074.tmp 86,016 1ee5efbdfc7c9c77e3737da1e1374fa1 24
12 %TEMP%\thpm3895857826689602663.tmp 121,344 46675e831a2b30d0457c8fa21ee527e9 12
13 %TEMP%\win403700.dat 103,936 c97844bdc7793ae395bdcd345decbca8 7
14 %TEMP%:winupd.exe 133,632 1ffd2c773aaf54bf2f6329c091ffdee3 5
15 %TEMP%\win4036e0.dat 103,424 3cc43862518c71a5309590f835875703 2

More files

Registry Details

Alureon creates the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}
richtx64.exe

Site Disclaimer

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 15 + 3 ?