DNSChanger.f

This page shows details and results of our analysis on the malware DNSChanger.f

Overview


Minimum DAT

4993 (2007-03-27)

Updated DAT

5715 (2009-08-20)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2007-03-27

Description Modified

2008-06-12

Malware Proliferation

Characteristics

-- Update June 11, 2008 --
A recent variant comes with a component which attempts to reconfigure the user's hardware router by sending commands with a default list of usernames and passwords.

DNS and DHCP settings are changed to point to the following IPs (these can vary with different variants):

  • 85.255.115.117
  • 85.255.112.204
  • 85.255.113.74
  • 85.255.112.36

-- Update March 29, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/2061-10789_3-6171460.html?part=rss&tag=2547-1_3-0-20&subj=news

This trojan is installed while user is tricked to install a codec. A EULA is presented, however the trojan is installed even when the user choose to cancel the EULA. Although the text of EULA seems to change with various variants following is an example screenshot. This codec is detected as DNSChanger.f.dr.

Upon installation this trojan changes the DNS server address to point to its preffered DNS.

For example the recent variants are observed to point it to 85.255.115.46. A quick "whois" on this IP show this is in Ukraine.

Rootkit Information

It creates inline hooks to the following APIs in Ntdll.dll in order to hide and protect its components from deletion by AV softwares.

  • Function Name: ZwCreateThread
  • Function Name: ZwDeleteValueKey
  • Function Name: ZwQueryDirectoryFile
  • Function Name: ZwSetValueKey

Registry Changes

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System: "[random].exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer: "85.255.115.46 85.255.112.154" (This is just an example and IP can vary)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer: "85.255.115.46 85.255.112.154" (This is just an example and IP can vary)

Files Added

  • %sysdir%\[random.exe] ~63KB

Symptoms

Method of Infection

The recent incarnation of this trojan is reported to be downloaded via an adult browser called "NetBrowserPro". A codec is installed in order to play the adult content correctly from www.codecaddon.com. Along with the codec this trojan is also dropped.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Additional Steps:

Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. After doing the required changes, you will be prompted with a message box similar to the following:

To do a complete recovery, some modifications are required to the Windows Registry, restoring the keys to their original values. The interface settings modified are within the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\Interfaces

Variants