McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

DNSChanger.f.dr

This page shows details and results of our analysis on the malware DNSChanger.f.dr

Threat Detail

Malware Type: Trojan

Malware Sub-type: Dropper

Discovery Date: 2007-03-27

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.  The main objective of this trojan is to change the default DNS entries to its own preferred DNS server.


Minimum DAT

4993 (2007-03-27)

Updated DAT

5637 (2009-06-05)

 Minimum Engine

5.1.00

File Length

varies

 Description Added

2007-03-27

Description Modified

2007-12-27

Malware Proliferation

Characteristics

Some variants will display a series of setup dialogs titled "Domains Error" during installation.

Upon installation this trojan changes the DNS server address to point to its preffered DNS.

For example the recent variants are observed to point it to 85.255.116.189 & 85.255.113.44.

Registry Changes

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    NameServer: "85.255.116.189 85.255.113.44" (This is just an example and IP can vary)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    DhcpNameServer: "85.255.116.189 85.255.113.44" (This is just an example and IP can vary)

Symptoms

  • Changed DNS server and therefore network activity to a non trustworthy server
  • Changed network configuration under the TCP/IP properties page

Method of Infection

This trojan is reported to be downloaded via visiting untrusted websites in which users are asked to install a software package.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Additional Steps:

Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. 

You may also perform the following Windows command sequence to reset the TCP/IP configuration to the default state:

  • Click on Start->Run and type "netsh" followed the ENTER key.
  • Type "int ip reset reset.log" followed by the ENTER key.
  • Type "quit" followed by the ENTER key.

 

Variants

United States - English