Renos, Zlob, DNSChanger


Windows 2000, Windows XP, Windows Server 2003


  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


Infection Channel: Downloaded from the Internet

Spotted since 2006, PAKES malware has been involved in some incidents wherein it is downloaded bundled with other malware. PAKES was also bundled in a spam delivery notification that led to the download of several malware in 2008.

PAKES is designed to change the DNS settings of the network router. This is done to redirect network traffic to malicious websites. In effect, money is indirectly stolen by cybercriminals, as the traffic intended for legitimate sites are redirected to other sites.


Memory Resident: Yes


This Trojan drops the following file(s)/component(s):

  • %System%\spool\prtprocs\w32x86\{random}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %User Temp%\tmp{random characters}.tmp
  • %User Temp\{random 5 letters}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.186.237/index.php
  • http://{BLOCKED}
  • http://{BLOCKED}