The DNSChanger trojan is usually a small file (about 1.5
kilobytes) that is designed to change the 'NameServer' Registry
key value to a custom IP address. This IP address is usually
encrypted in the body of a trojan. As a result of this change a
victim's computer will contact the newly assigned DNS server to
resolve names of different webservers. And some of the resolved
names will not point to legitimate websites - they will point to
fake websites that look like real ones, but are created to steal
sensitive information (like credit card numbers, logins and
passwords).
Lately we got a few samples of this trojan that were named
'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed
to change the DNS server name of a victim's computer to
193.227.227.218 address.
The Registry key that is affected by this trojan is:
[HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces]
"NameServer"
Never open such files especially when they come in e-mail or via
instant messenger (ICQ, MSN, etc.).
Writeup and Technical Details:
Alexey Podrezov, November 7th, 2005;
F-Secure Corporation