Method of Infection
When executed, Alemod.I drops the file "oleext.dll" into the %System% directory with a last modified time matching that of the system file wininet.dll. It then copies %System%\wininet.dll to %System%\oleext32.dll and infects the copy of wininet.dll so that any HTTP requests sent using the DLL are passed through to the oleext.dll component of Alemod.
The trojan also executes an instance of Internet Explorer, without displaying any windows, and then injects code into the Internet Explorer processes' memory space that loads "oleext.dll", thus allowing it to hide its presence from the user.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Alemod.I drops and executes the file %System%\intel32.exe, which displays a red alert icon in the system tray. This file may be detected as Win32.Spudrag.C by CA Antivirus solutions. Please see elsewhere in the encyclopedia for a description of this trojan.
Alemod also modifies the registry so that this file is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\intel32.exe = "%System%\intel32.exe"
Alemod.I also drops wppp.html into the %System% directory, and sets it as the desktop background by further modifying the registry. It also sets the desktop background colour to a matching black so as to appear convincing:
HKCU\Control Panel\Desktop\Wallpaper = "%System%\wppp.html"
HKCU\Control Panel\Colors\Background = "0 0 0"
HKCU\Control Panel\Desktop\WallpaperStyle = "2"
HKCU\Control Panel\Desktop\TileWallpaper = "0"
Should the user left-click on the red alert icon, or the "Click here" link on the wallpaper, Alemod launches the user's default browser to display the page http://www.psguard.com/?*****&sub=0
*Note: This URL has been modified
The Alemod.I DLL uses the mutex "OLEADMUTEX" to avoid loading multiple copies of itself.
Back to top
Payload
Monitors HTTP Requests
The oleext.dll component reads the contents of HTTP requests and forwards any significant details to one of the following 3 domains:
ecjnoe3inwe.com
fjrewcer32.com
dkjfwekjnc4.com
It also contacts the alfaportal.com domain, presumably to notify the writer of a new successful compromise.
Modifies System Settings
Alemod sets the following registry key to allow it to rename protected files:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AllowProtectedRenames = 0x1
It then modifies the system file %Windows%\wininit.ini to swap the infected wininet.dll (oleext32.dll) with the real wininet.dll.
Alemod.I then drops an uninstall file uninstIU.exe in the %Windows% directory; if executed, this file removes the restricted desktop policies, however, HTTP requests will continue to be monitored.
Alemod then adds this uninstaller to the Add/Remove Programs dialogue as "Internet Update" by making these registry modifications:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\Display Name = "Internet Update"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\UninstallString = "uninstIU.exe"
It adds the following registry keys to stop the user from changing the Desktop Wallpaper back (these changes remove the Themes, Desktop and Appearance tabs from the Display Properties dialog):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = 0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage = 0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage = 0x1
Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Disables System Restore
Alemod attempts to terminate the stmgr.exe process and then removes its associated registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\*StateMgr
Note: stmgr.exe is a component of the Windows ME Opearating System. This process monitors and verifies Windows system directory integrity.
Downloads and Executes Arbitrary Files
The Alemod.I DLL attempts to download the file PSGuardInstall.exe to the user's %Temp% directory and then execute it.
Note: %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".
Modifies Desktop
The trojan drops the icons "ptainfo1.ico" and "ptainfo2.ico" into the %System% directory, as well as the links "Download Movies.url" and "Download Music.url" into the "%Profiles%\Desktop" folder. This enables the folllowing web links to be displayed on the desktop:
Double clicking these links directs the user to the "ptinfo.com" domain.
Note: %Profile% is a variable location and refers to the user's profile folder. The malware determines the location of the current Profile folder by querying the operating system. A typical location for this folder is C:\Documents and Settings\<username>
Removes Files and Registry entries
Alemod deletes the file %Windows%\screen.html if it exists, and it removes the following registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Intel system tool
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AntivirusGold
Back to top