Trojan:W32/Dllpatcher modifies the dnsapi.dll file Windows module to point to a new hosts file it creates, which contains additional hostnames and IP addresses.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More scanning & removal options
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Trojan:W32/Dllpatcher attempts to 'patch' or modify the dnsapi.dll file, a module that assists the DNS client service in the Windows operating system, essentially by caching the Domain Name System (DNS) names requested during a web browsing session. Due to its behavior, the trojan is also referred to as a 'DLL patcher'.
When active, this trojan will create a new hosts file that contains both the original hosts file values as well as additional prepended hostnames and IP addresses. The malware will then patch the dnsapi.dll file to point it to the newly created hosts file. Subsequently, the dnsapi.dll will refer to the new hosts file when attempting to map hostnames to IP addresses.
This trojan has been most commonly reported in France, though it is also noted in the United States, the Netherlands and a few other countries.
Distribution & installation
The DLL patcher is included in an installer file, which is most commonly downloaded and saved to the temp folder using the filename, extensionupdate.exe (SHA1: CA1EC9706C15C457F2515ED1921F85A348BFC5AD).
When the downloaded file is executed, it will drop and execute the DLL patcher. In the sample analyzed, the dropped file (SHA1:59BD1154FF4735B81DB038ECE54C230337533497) was named orion.exe. The orion.exe file also has the following component files:
File creation & execution
The orion.exe file creates the new hosts file in the %windir%/system32/ location, with a random directory and file name, for example:
- C:\WINDOWS\system32\neb\okhb\ vobg.dat
The path length of the new hosts file however must match the path length of the old hosts file. The new file uses a '.dat' extension and will contain the following prepended entries:
- 22.214.171.124 www.google-analytics.com
- 126.96.36.199 ssl.google-analytics.com
- 188.8.131.52 partner.googleadservices.com
- 184.108.40.206 google-analytics.com
- 220.127.116.11 static.doubleclick.net
- 18.104.22.168 connect.facebook.net
Next, the DLL patcher locates the dnsapi.dll file (either in %windir%\system32\ or %windir%\SysWOW64\) and modifies it to use the path of the new hosts file it created:
Original path for hosts file
Patched path pointing to newly-created hosts file
To facilitate using the new hosts file, on the next system bootup the DLL patcher will use the following registry key to flush the DNS cache:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cmdrun cmd.exe /C ipconfig /flushdns
This ensures that the information in the new hosts file does not conflict with older data in the DNS cache.
It will also create the following mutexes:
- Global\Matil da
- Global\Nople Mento
The DLL patcher attempts to evade monitoring by security products by checking for VMWare- and VBox-related registry keys:
- HKLM \ DESCRIPTION \ System \ BIOS vbox - HKLM \ DESCRIPTION \ System \ BIOS vmware
It also checks for the existence of SbieDll.dll (a component related to the Sandboxie virtual environment program) and for various VMware-related devices. If any of these are found on the infected machine, the malware exits and does nothing further.
Once the trojan has completed its tasks, its components are quietly deleted.
Technical Details: (25 September 2015) Description first published.
Description Last Modified: (28 September 2015) Description edited to replace the original detection name (Trojan.GenericKD.2732606) with the updated name Trojan:W32/Dllpatcher, for greater clarity.