Trojan:W32/Dllpatcher.A

Threat description

Details

CATEGORYMalware
TYPETrojan

Summary

Trojan:W32/Dllpatcher modifies the dnsapi.dll file Windows module to point to a new hosts file it creates, which contains additional hostnames and IP addresses.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Trojan:W32/Dllpatcher attempts to 'patch' or modify the dnsapi.dll file, a module that assists the DNS client service in the Windows operating system, essentially by caching the Domain Name System (DNS) names requested during a web browsing session. Due to its behavior, the trojan is also referred to as a 'DLL patcher'.

When active, this trojan will create a new hosts file that contains both the original hosts file values as well as additional prepended hostnames and IP addresses. The malware will then patch the dnsapi.dll file to point it to the newly created hosts file. Subsequently, the dnsapi.dll will refer to the new hosts file when attempting to map hostnames to IP addresses.

This trojan has been most commonly reported in France, though it is also noted in the United States, the Netherlands and a few other countries.

Distribution & installation

The DLL patcher is included in an installer file, which is most commonly downloaded and saved to the temp folder using the filename, extensionupdate.exe (SHA1: CA1EC9706C15C457F2515ED1921F85A348BFC5AD).

When the downloaded file is executed, it will drop and execute the DLL patcher. In the sample analyzed, the dropped file (SHA1:59BD1154FF4735B81DB038ECE54C230337533497) was named orion.exe. The orion.exe file also has the following component files:

  • libnspr4.dll
  • libplc4.dll
  • libplds4.dll
  • nss3.dll
  • nssutil3.dll
  • smime3.dll
File creation & execution

The orion.exe file creates the new hosts file in the %windir%/system32/ location, with a random directory and file name, for example:

- C:\WINDOWS\system32\neb\okhb\
  vobg.dat

The path length of the new hosts file however must match the path length of the old hosts file. The new file uses a '.dat' extension and will contain the following prepended entries:

  • 107.178.255.88 www.google-analytics.com
  • 107.178.255.88 ssl.google-analytics.com
  • 107.178.255.88 partner.googleadservices.com
  • 107.178.255.88 google-analytics.com
  • 107.178.248.130 static.doubleclick.net
  • 107.178.247.130 connect.facebook.net

Next, the DLL patcher locates the dnsapi.dll file (either in %windir%\system32\ or %windir%\SysWOW64\) and modifies it to use the path of the new hosts file it created:

Original path for hosts file

Patched path pointing to newly-created hosts file

To facilitate using the new hosts file, on the next system bootup the DLL patcher will use the following registry key to flush the DNS cache:

- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cmdrun
  cmd.exe /C ipconfig /flushdns

This ensures that the information in the new hosts file does not conflict with older data in the DNS cache.

It will also create the following mutexes:

  • Global\Matil da
  • Global\Nople Mento
Security evasion

The DLL patcher attempts to evade monitoring by security products by checking for VMWare- and VBox-related registry keys:

- HKLM \ DESCRIPTION \ System \ BIOS
  vbox
- HKLM \ DESCRIPTION \ System \ BIOS
  vmware  

It also checks for the existence of SbieDll.dll (a component related to the Sandboxie virtual environment program) and for various VMware-related devices. If any of these are found on the infected machine, the malware exits and does nothing further.

Once the trojan has completed its tasks, its components are quietly deleted.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

More Info