Home > Threat descriptions >



Category: Malware

Type: Trojan

Aliases: Trojan:W32/DNSChanger, Win32/Alureon


DNSChanger is a trojan that will change the infected system's Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers.

Variant: Trojan.Win32.DNSChanger.al

Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to address. The Registry key that is affected by this trojan is:

  • [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces] "NameServer"
Registry Modifications

Creates these keys:

  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}NameServer = 85.255.xxx.133,85.255.xxx.xxx
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer = 85.255.xxx.xxx,85.255.xxx.xxx