1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Aurora Activity

HTTP Aurora Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detect Adware.Aurora communicating and requesting information from its controlling server.

Additional Information

When Adware.Aurora is executed, it performs the following actions:

1. Attempts to contact [http://]www.abetterinternet.com/[REMOVED] and download a number of component files.

2. Creates the following files on the compromised computer:

* %Windir%\Nail.exe
* %Windir%\svcproc.exe
* %Windir%\[RANDOM NAME].exe
* %System%\DrPMon.dll
* %System%\[RANDOM NAME].exe
* %Windir%\IDDJHJM.ini
* %Windir%\abiuninst.htm
* %Windir%\CCEJHONM.ini

Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* [RANDOM NAME] refers to a random sequence of letters used by the security risk in creating the filename.

3. Creates the following registry subkeys.

HKEY_CURRENT_USER\Software\aurora
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc

4. Adds the value:

"[RANDOM NAME]" = "%System%\[RANDOM NAME].exe r"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

5. Modifies the value:

"Shell" = "Explorer.exe"

to

"Shell" = "Explorer.exe %Windir%\Nail.exe"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

so that it runs every time Windows starts.

Affected

  • Windows 2000
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Uninstall the security risk.
2. Update the definitions.
3. Run the scan.
4. Restart the computer in Safe mode with Command Prompt (Windows 2000/XP).
5. Delete any remaining files manually.
6. Reverse the changes made to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube