Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

TROJ_PAKES


ALIASES:

Renos, Zlob, DNSChanger

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Trojan

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Downloaded from the Internet


Spotted since 2006, PAKES malware has been involved in some incidents wherein it is downloaded bundled with other malware. PAKES was also bundled in a spam delivery notification that led to the download of several malware in 2008.

PAKES is designed to change the DNS settings of the network router. This is done to redirect network traffic to malicious websites. In effect, money is indirectly stolen by cybercriminals, as the traffic intended for legitimate sites are redirected to other sites.

TECHNICAL DETAILS

Memory Resident:

Yes

Installation

This Trojan drops the following file(s)/component(s):

  • %System%\spool\prtprocs\w32x86\{random}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %User Temp%\tmp{random characters}.tmp
  • %User Temp\{random 5 letters}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.186.237/index.php
  • http://{BLOCKED}riverart.com/bskcua.php
  • http://{BLOCKED}tmuseum.com/fakbwq.php

Featured Stories

Connect with us on