1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Trojan:W32/DNSChanger.ARNF

Trojan:W32/DNSChanger.ARNF

Name : Trojan:W32/DNSChanger.ARNF
Detection Names : Worm.Win32.AutoRun.udt
Aliases : TR/Crypt.XPACK.Gen (Avira)
Trojan:Win32/Alureon.gen!J (Microsoft)
Size:31744
Category:Malware
Type:Trojan
Platform:W32

Summary

A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. The program is often started by the user, and it does not usually replicate.

Details


Registry Modifications
Sets these values:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\Control
ActiveService = Spooler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msqpdxvx
msqpdxrun = dword:00000047
msqpdxpff =
msqpdxaff =
msqpdxinfo =
msqpdxid = "rfx |
|fcegeea "
msqpdxsrv = dword:6802f719
  • HKEY_CLASSES_ROOT\msqpdxvx
msqpdxrun = dword:00000047
msqpdxpff =
msqpdxaff =
msqpdxinfo =
msqpdxid = "rfx |
|fcegeea "
msqpdxsrv = dword:6802f719


Creates these keys:

  • HKEY_LOCAL_MACHINE\Software\Classes\msqpdxvx
  • HKEY_CLASSES_ROOT\msqpdxvx


Additional Details

This malicious software is dropped onto the system by Trojan-Dropper:W32/Agent.FLN. It is used to change the DNS settings on a system so that information such as passwords and credit card details can be retrieved.

Installation

During installation, this malware creates the following files:

  • c:\autorun.inf
contains the autostart routine for c:\resycled\boot.com
  • c:\resycled\boot.com
detected as Trojan:W32/DNSChanger.ARNF

It also creates this directory:

  • c:\resycled

Execution

Once installed, this malware attempts to connect to a website via HTTP POST:

  • http://94.247.2.104/[...]/generator

It is capable of changing the DNS settings in the machine to:

  • 85.255.115.237
  • 85.255.112.201.