VirusW32/DNSChanger.A!tr
Analysis
W32/DNSChanger.A!tr - 06-01-10
General Info:
This threat is a "PE" executable file, with file size 28160
Files:
- Drop files: ".exe" + ".dll"
Installation to System:
- When run, it copies itself to:
- It doesn't copy itself ; - it does delete the initial file. - Drops the following files:
- It drops the file idemlog.exe in the undefinedSystemundefined folder - this threat is known as W32/AdClicker.BM!bdr, which then drops other files. - It drops the file q930956218_disk.dll in the undefinedWINDOWSundefined folder - this threat is know as W32/Delf.ZU-dldr. - It drops the - And creates these registry entries:
- It modifies the DNS entries to make them point to an Ukrainian webhosting server : HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[id]\NameServer = 85.255.113.138,85.255.112.79 - The dropped malwares also modify the registry.
More Info:
This trojan modifies the NameServer registry entries to make them point to 85.255.113.138 and 85.255.112.79 - these are the nameservers of the Ukrainian InHost webhosting service. This technique is often used by pharmers to transparently redirect the users browsers to false online banking or auctions services : when the user type in the URL, the DNS request is transmitted to either a poisoned or private NameServer which then provide the IP address of a server controlled by the attacker.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2023-04-04 | 91.02050 | |
| 2023-03-07 | 91.01211 | |
| 2023-01-31 | 91.00156 | |
| 2022-05-31 | 90.02802 | |
| 2020-10-20 | 81.23000 | Sig Updated |
| 2020-08-24 | 79.87500 | Sig Updated |
| 2020-04-07 | 76.53400 | Sig Updated |
| 2020-01-03 | 74.27800 | Sig Updated |
| 2019-12-10 | 73.69300 | Sig Updated |
| 2019-12-05 | 73.58000 | Sig Updated |