Analysis by: Karl Dominguez

 PLATFORM:

Windows 98, ME, NT, 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

During the testing of this Trojan, the IP addresses set as the DNS servers are the following:

• Preferred DNS server: {BLOCKED}.{BLOCKED}.97.20

• Alternate DNS Server: {BLOCKED}.{BLOCKED}.97.21

As a result, Internet activities on the affected sytem can be monitored by a remote malicious user.

This Trojan may be downloaded from remote sites by other malware.

  TECHNICAL DETAILS

File Size: 17,408 bytes
File Type: PE
File Compression: Delphi
Memory Resident: No
Initial Samples Received Date: 14 Sep 2009
Payload: Connects to URLs/Ips, Compromises system security, Adds an uninstall option to the Control Panel

Arrival Details

This Trojan may be downloaded from remote site(s) by the following malware:

  • TROJ_PIDIEF.AAL

It may be downloaded from the following remote sites:

  • http://{BLOCKED}.{BLOCKED}.175.29/load.php

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Program Files%\Common Files\{random file name}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
DnsUpdater = %Program Files%\Common Files\{malware file name}.exe

Other Details

This Trojan adds the following registry entries to add an uninstall option to the Control Panel:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1\if1
(Default) = {ethernet adapter}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1
UninstallString = %Program Files%\Common Files\{malware file name}.exe uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1
DisplayName = DNS Changer (remove only)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1
Size =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1
NoModify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1
NoRepair = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1\if1
DhcpEnabled = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1\if1
DnsRecords = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
DnsUpdater1
DnsFile = {BLOCKED}.{BLOCKED}.97.20 {BLOCKED}.{BLOCKED}.97.21

Based on analysis of the codes, it has the following capabilities:

  • Connects to this URL to get IP addresses that it sets as the new DNS server address: http://www.{BLOCKED}ckin.com/inlogger.php?h={computer name}&u={user name}&t={execution time}
  • Connects to this URL for succeeding executions to check for new IP addresses that it sets as the new DNS server address: http://www.{BLOCKED}ckin.com/dns_update.php

It connects to the following possibly malicious URL:

  • http://www.{BLOCKED}ckin.com/inlogger.php?h={computer name}&u={user name}&t={execution time}
  • http://www.{BLOCKED}ckin.com/dns_update.php

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 6.444.03
FIRST VSAPI PATTERN DATE: 14 Sep 2009
VSAPI OPR PATTERN File: 6.887.00
VSAPI OPR PATTERN Date: 02 Mar 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
    • DnsUpdater1

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DnsUpdater
    • DnsUpdater=%Program Files%\Common Files\{malware file name}.exe

Step 4

Scan your computer with your Trend Micro product to delete files detected as TROJ_DNSCHANG.XT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Related Malware