Threat Descriptons



Category :


Type :


Aliases :

Trojan:W32/DNSChanger.ARNF, Trojan:W32/DNSChanger.ARNF, Worm.Win32.AutoRun.udt, TR/Crypt.XPACK.Gen (Avira), Trojan:​Win32/Alureon.gen!J (Microsoft)


A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. The program is often started by the user, and it does not usually replicate.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This malicious software is dropped onto the system by Trojan-Dropper:W32/Agent.FLN. It is used to change the DNS settings on a system so that information such as passwords and credit card details can be retrieved.


During installation, this malware creates the following files:

  • c:\autorun.inf - contains the autostart routine for c:\resycled\
  • c:\resycled\ - detected as Trojan:W32/DNSChanger.ARNF

It also creates this directory:

  • c:\resycled


Once installed, this malware attempts to connect to a website via HTTP POST:


It is capable of changing the DNS settings in the machine to:


Registry Modifications

Sets these values:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ControlActiveService = Spooler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msqpdxvxmsqpdxrun = dword:00000047msqpdxpff =msqpdxaff =msqpdxinfo =msqpdxid = "rfx ||fcegeea "msqpdxsrv = dword:6802f719
  • HKEY_CLASSES_ROOT\msqpdxvxmsqpdxrun = dword:00000047msqpdxpff =msqpdxaff =msqpdxinfo =msqpdxid = "rfx ||fcegeea "msqpdxsrv = dword:6802f719

Creates these keys:

  • HKEY_LOCAL_MACHINE\Software\Classes\msqpdxvx
  • HKEY_CLASSES_ROOT\msqpdxvx
More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.