|09 Dec 2010||#1|
| || |
Looks familiar? Yes! From Alureon!
It's a normal day to us. We receive a new Bamital virus sample report from a customer, and we provide an analysis. Suddenly, something interesting bursts into my eyes:
What's your thought on this code fragment? At the first glance, this piece of code looks like a non-malicious call to manipulate the Windows Printer SubSystem. But if you've analyzed Alureon before, it may look familiar to you. Yes, Alureon also takes advantage of the Windows Print Subsystem to install its payload.
Now let's recall Alureon's nasty stuff:
The older Alureon installs its payload by using Windows Print Manager. It drops its malicious payload to the Print Processor directory and then calls a winspool API AddPrintProcessorA() to issue an RPC request to the Printing SubSystem, which is hosted by spoolsv.exe; the spoolsv.exe then loads the Alureon payload from the Print Processor directory:
Since the spoolsv.exe is a trusted system process, it makes Alureon difficult to detect by HIOS/Anti-virus
|My System Specs|
|Similar help and support threads for2: Looks familiar? Yes! From Alureon!|
|BSOD after removing Alureon.a||System Security|
|Alureon and my broken laptop||System Security|
|Alureon.E (virus)trojan||System Security|
|Is Anyone Familiar with ZipCloud?||Backup and Restore|
|[Q] Alureon.A: Causes and removal||System Security|