Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DOS/Alureon.A removal


  • Please log in to reply
5 replies to this topic

#1 Steve Carson

Steve Carson

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 28 November 2010 - 12:13 PM

For future reference, here is how I fixed the problem:

1) Microsoft Security Essentials can detect DOS/Alureon.A on Win XP with SP3 but cannot remove it (at least as of 26 Nov 2010). Micosoft technical support was not helpful.

2) I did some googling and found a free tool from Kaspersky Lab called TDSSKiller.exe. It removes "rootkit" viruses/trojans including DOS/Alureon.A. It quickly removed the trojan from my bad drive.

3) DOS/Alureon.A made the drives on my computer unbootable. I quickly resolved this by using my inexpensive (less than $20) tool PRO/IDE/SATA/USB Harddrive Adapter from Inland Products. I removed the drives from the affected computer and mounted them as USB drives on another computer using this adapter. From there I was able to run TDSSKiller.exe to eliminate the trojan and correct the various boot sectors and boot records so that the drive was again bootable.

Steve

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:12 PM

Posted 28 November 2010 - 04:33 PM

Thank you for sharing your solution. To avoid any confusion, I am moving this to a more appropriate forum.

A removal guide for this infection can be found here

A word of warning: this is a very advanced rootkit. Improper removal can do a lot of damage to your computer, including preventing it from booting successfully. If you are facing this infection and you are not sure how to remove it, please follow the steps in the preparation guide in order to receive malware removal help.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 h3driver

h3driver

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 11 December 2010 - 04:29 PM

Steve,
TDSSKiller.exe was a good find; however, I am confused about how you used it. My computer was also rendered unbootable by the trojan. I suspected a dead hard drive or corrupt MBR, so I connected the drive to a working computer using an adapter similar to the one you mentioned. The drive was recognized by the host system and that's when MS Security Essentials informed me of the DOS/Alureon.A infection. The problem is that when I run TDSSKiller.exe it doesn't give me a choice of targets to scan. The only choices are "Services and drivers" and "Boot sectors". The log doesn't tell me which boot sectors are scanned, but the only files that are scanned are on the host drive containing the operating system, C:\ in my case. When running the prog from the command line, there are no switches to direct the scan to a specific drive. So how did you get it to scan the USB drive?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:12 PM

Posted 11 December 2010 - 04:44 PM

Hi h3driver, the question was not directed to me, but I think I can answer your question. :)

TDSSkiller is a rootkit removal tool that targets more than one TDSS variant. The variant Steve describes was most likely TDL4, which infects the Master Boot Record of a drive.
If that is the case, the tool will work when a drive is slaved, since it scans the MBR's of all detected drives.

However, if the infection on the slaved drive was for example TDL3 (which is an infected .sys file in the Drivers folder), TDSSkiller will not be able to detect it when the drive is slaved. Why? Simply because that infected driver is loaded by a Service. A service is part of the registry and gets loaded when windows start.
However, Windows on the slaved drive is not started, so the infected driver is not loaded, and thus TDSSkiller does not see it.

I hope this answers your question.

Edited by elise025, 11 December 2010 - 04:45 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 h3driver

h3driver

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 11 December 2010 - 08:52 PM

Thanks for your insight, Elise. It most likely was the TDL4 variant that infected my hard drive and Steve's. More about that at the end.

In case it will help anyone else who is grappling with a non-bootable system, here is a roadmap of my thought processes (right or wrong) when asking for additional information:

1) When Steve wrote, "...I was able to run TDSSKiller.exe to eliminate the trojan and correct the various boot sectors and boot records so that the drive was again bootable", I assumed he was talking about two steps--eliminating or cleaning infected files, then repairing the MBR. It's relatively easy to repair the MBR whether it was corrupted by malware or otherwise. Although I can't find it now, I thought I read on the web that the trojan changed the MBR so that it executes a malware program written elsewhere on the hard drive instead of immediately passing control to the volume boot record (VBR) of the active (primary) partition on bootup. Once that program executes, it does a lot of other nasty things to the system files.

2) So I was hoping TDSSKiller would remove those other executables and fix the infected system files while the drive was still slaved because I know that files often cannot be removed while the operating system is active and some malware will actively prevent detection. In retrospect, I was probably reading about some other variant that doesn't make the computer unbootable. Elise says that the infected drivers can't be detected unless they are "loaded." I'm not sure why they couldn't be detected if someone wanted to write the program to do it, but I don't question her statement that's how TDSSKiller works.

3) The first time I ran TDSSKiller, I deselected the radio button for "Boot Sectors." I wasn't sure what it would do, and I didn't want it messing with the MBR of the host computer. I already knew the MBR of the slaved drive was infected. I knew how to deal with that; I wanted the other stuff that I thought I read about fixed.

4) When I saw that TDSSKiller had only checked the OS drive of the host computer. I knew I would have to run TDSKiller after I got the drive bootable again and back in the original computer.

5) I used Paragon Hard Disk Manager 2009 SE to repair the MBR of the slaved drive. Then on the spur of the moment, I decided to run TDSSKiller again with "Boot Sectors" selected. No infection was found, so I decided the hard drive was bootable again. The only uncertaintly I had with TDSSKiller at this time was that the log did not tell me which boot sectors had been checked. I consider this to be a deficiency in the program, but it apparently worked for Steve and it's free, so I guess one can't complain too much.

6) Then I put the drive back into the laptop where it came from. It booted without a hitch, so I downloaded and ran TDSSKiller.exe. No infections were found, so I guess the only damage done was to the MBR. I ran MBAM just to be sure and everything seems to be fine.

I am surprised that a rootkit would change the MBR with the only result being that it breaks the computer. I thought the writer would be seeking grander things like adding me to a big bot network in the cloud!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:12 PM

Posted 12 December 2010 - 05:18 AM

Hi, since you mentioned you deselected "boot sectors", yes, I think that is why, in your case, the infection was not detected when you slaved the drive.

Elise says that the infected drivers can't be detected unless they are "loaded." I'm not sure why they couldn't be detected if someone wanted to write the program to do it, but I don't question her statement that's how TDSSKiller works.

TDSSkiller does not scan all files on the disk, it is a small and quick tool that checks for signs of certain rootkit infections.
I might be mistaken, but I don't think it scans files, except for those loaded in memory.

Would a slaved drive with a TDL3 infection be scanned by an AV, it is likely the infected driver file was found and deleted. That is not desirable, since the file is patched, and has to be replaced, otherwise the computer will be unbootable in most cases.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users