NoVirusThanks Blog » DNSChanger

PluginVideo a false Codec that installs Trojan.DNSChanger

admin — Thu, 04 Jun 2009 23:13:08 +0000

In the last few days, while browsing the Internet I was redirected to a file named VideoCodec.exe, and another file named PluginCodec.exe. Both files are false video codecs, and are actually infected with Trojan.DNSChanger!

Trojan DNSChanger is a trojan that will modify the DNS settings on the compromised computer to point to a rouge DNS server, some the effects of this could be the victim cannot update their Antivirus anymore, search results will be hijacked by the trojans and the victim will be redirected to affiliate webpages or porn websites. In some cases the trojan can redirect the victim to a phishing page, that aims steal information regarding credit cards, or bank accounts.

This kind of trojan can install other backdoors on the affected system such as BHOs (Browser Helper Objects), or Rootkit Drivers that are used to hide the trojan presence and to protect the registry keys from being deleted by the user, or by other security software.

This is a screenshot of the VideoCodec installation window:

When the program is executed, it creates the following files:

%User%\LOCALS~1\Temp\PluginVideo.exe
C:\autorun.inf
C:\WINDOWS\system32\drivers\gxvxcserv.sys
C:\WINDOWS\system32\drivers\gxvxcserv.sys
C:\WINDOWS\system32\drivers\gxvxcvpawwkrvklrlnsvxextpuyfwaadaswwx.sys
C:\WINDOWS\system32\gxvxcvmdbxrmbpjpgwmrqphukiabsqwmicjnt.dll
C:\WINDOWS\system32\gxvxcnopsdxpgyqxwsgkjsqmrnmbvbqhwipoo.dll
C:\WINDOWS\system32\gxvxccount
%User%\LOCALS~1\Temp\gaopdx1148761
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\Program Files\PluginVideo
C:\Program Files\PluginVideo\Uninstall.exe
%User%\Start Menu\Programs\PluginVideo
%User%\Start Menu\Programs\PluginVideo\Uninstall.lnk

The program creates the following registry entries:

HKLM\System\CCS\Services\Tcpip\..\{B84DA37B-654A-4425-ACA3-DE03D2022067}: 
NameServer = 85.255.112.151,85.255.112.207
HKLM\System\CS1\Services\Tcpip\Parameters: 
NameServer = 85.255.112.151,85.255.112.207
HKLM\System\CCS\Services\Tcpip\Parameters: 
NameServer = 85.255.112.151,85.255.112.207

The file that was created in C:\autorun.inf is used by the trojan to spread itself on removable devices such as USB Drives:

The USB spreading procedure works as follows:

1) User inserts an USB Device in the infected PC;
2) The trojan hijacks the autorun.inf on the USB and copies itself to the USB Device under the folder \RECYCLE\***;
3) The user inserts the USB in another PC;
4) If the PC has the “Autorun” enabled, the file autorun.inf from the USB Device will execute the trojan and the PC will be infected.

The program generates the following Internet traffic on port 80:

POST /cgi-bin/generator HTTP/1.0
Host: 213.163.64.81
Content-Length: 73
 
POST /adc.php HTTP/1.0
Host: 213.163.64.81
Content-Length: 44
Pragma: no-cache

From the following traffic we can see that the trojan started to attack the router login page:

GET /index.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET /dlink/hwiz.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET /index.asp HTTP/1.1
Authorization: Basic YWRtaW46
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X
 
GET / HTTP/1.1
Authorization: Basic cm9vdDp=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.XXX.XX.X

Fake Flash Player and Trojan DNSChanger.gen

admin — Wed, 10 Dec 2008 16:26:37 +0000

Steve has found a very interesting sample in the wild that looks like a fake flash player that installs the DNSChanger trojan in the victim’s computer. The malicious file is named FlashPlayer.v..exe:

Report Generated 10.12.2008 at 16.48.20 (GMT 1)
Filename: FlashPlayer.v..exe
File size: 78 KB
MD5 Hash: D2EBDAB38246882A8A39F819DB44736D
SHA1 Hash: 4226D3B1C92EC7BE33E9785ABA669427EC86E172
CRC32: 1111798076
Application Type: Executable (EXE) 32bit
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 5 on 24

Antivirus Result
a-squared -
Avira AntiVir -
Avast Win32:Fasec [Trj] (0)
AVG Trojan horse Downloader.Zlob.AHRH
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA -
IkarusT3 -
Kaspersky -
McAfee Generic.dx trojan
MHR -
NOD32 v3 a variant of Win32/Kryptik.CN trojan
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos Mal/BadNSIS
TrendMicro -
VBA32 -
VirusBuster -

When I executed the malicious file, it established a connection with this IP:

1	94.247.2.104 (hs.2-104.zlkon.lv)

Internet traffic:

Protocol          : TCP
Remote Address    : 94.247.2.104
Local Port        : 1209
Remote Port       : 80
Service Name      : http
Packets           : 302
Data Size         : 177.593 Bytes
Total Size        : 189.798 Bytes
Capture Time      : 10/12/2008 15.27.53:796
==================================================
 
POST /cgi-bin/generator  HTTP/1.0
Conten tLength: 294
HTTP/1.1 200 OK
Date: Wed, 10 Dec 2008 14:27:46 GMT
Server: Apache/2.0.63 (FreeBSD) PHP/5.2.6 with SuhosinPatch
Time: r57:62464 e0:114688
ContentLength: 177209
Connection: close
ContentType: text/html
...

A new window appeared on the screen and asked me where to install a program named homeview:

The program creates the following files:

%User%\LOCALS~1\Temp\jah30006.exe
C:\autorun.inf
C:\Program Files\homeview
C:\Program Files\homeview\Uninstall.exe
%User%\Start Menu\Programs\homeview\Uninstall.lnk
C:\resycled\boot.com
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys
C:\WINDOWS\system32\msqpdxosvnnrse.dll

We can see that it has dropped a rootkit driver in C:\WINDOWS\system32\drivers\, called msqpdxpqxtoiqh.sys, after the hidden execution of a file called jah30006.exe. Another interesting file is C:\autorun.inf that is used by the trojan to spread itself on removable devices such as USB Drives.

Scan report of jah30006.exe:

Report Generated 10.12.2008 at 16.05.55 (GMT 1)
Filename: jah30006.exe
File size: 31 KB
MD5 Hash: 9883BB653A59CC988F7B88C59021F378
SHA1 Hash: 02425C4E7C5E28773AC3DD776344DA576FDC30E8
CRC32: 2335540674
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 6 on 24

Antivirus Result
a-squared -
Avira AntiVir TR/Crypt.XPACK.Gen
Avast Win32:Fasec [Trj] (0)
AVG -
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Win32:Fasec [Trj] B
IkarusT3 -
Kaspersky -
McAfee -
MHR -
NOD32 v3 a variant of Win32/Kryptik.CN trojan
Norman -
Panda -
QuickHeal Suspicious
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster Trojan.FakeAlert.Gen!Pac.2

Scan report of msqpdxpqxtoiqh.sys:

Report Generated 10.12.2008 at 17.01.14 (GMT 1)
Filename: msqpdxpqxtoiqh_sys
File size: 61 KB
MD5 Hash: 17A2B5116B87C12E28BAEBECC60F7304
SHA1 Hash: BF8A4034925E4767093FA10BA5AFA6174A77AA0C
CRC32: 1004260316
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 0 on 24

With RkU we can see the malware hooks some functions in ring0:

It also detected stealth code:

We can see the registry key of the rootkit driver in regedit:

But we cannot delete the key because of the hooks that protect the registry key from being deleted by the user:

Following files are hidden from explorer search because of the hooks that obfuscate the presence of the files:

1 2	C:\WINDOWS\system32\msqpdxosvnnrse.dll C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys

During the analysis, the malware was always establishing connections with:

1	85.255.116.74

We noticed some DNS/Domain requests:

Protocol: UDP
Remote IP: 85.255.116.74
Remote Port: 53
 
Domains requested:
fhubwxkgmq.com
qmmjwtrjct.com
tjonvuhvgv.com
asxnrzfdfr.com
dabewiktps.com
qiymojdore.com
drnjrnynzu.com
vamjhejtdp.com
lvdmruupam.com
vopnqghkod.com
wmjdkvisas.com
hybcbhvdsn.com
jrvwyuxtph.com
iaamqweyjs.com
nqztypflph.com
hqzwkrdlbh.com
scjrozdgvo.com
fozzwjsety.com
tfdbwksekz.com
qpemkihnno.com
evinsyxmhf.com
quqinwobrm.com
elgoylwubi.com
kzusbnjhho.com
ssqnqjvhgj.com
daxtdftkwc.com
pgxbfosrrf.com
lcusdjkcct.com
nycmxxcioa.com
gvelbfneqn.com
lgewdcehgy.com
wqnkwlicjg.com
hgqlzvkrod.com
jkcqecilmu.com
kzsidyqwgc.com
vemibooppc.com
kqiruvpjrt.com
byazjnmwbu.com
zyaiufmmsd.com
bkwgesporj.com
syieqxtbvb.com
mzibepwflm.com
engtpajzdh.com
ijgvtheraq.com
yecttchanp.com
rtavqgowqv.com
juvaajbjhy.com
aaqsjtulbt.com
bpgesmjpyp.com
dhynqijxcb.com
gkyjwezchl.com
bdzumfarmj.com
yridxcjcgt.com
hmehdpaxuy.com
xhyrqgrhid.com
thwyujthry.com
plhmbziqga.com
tmtpnehras.com
ewosixkvmt.com
jjmtfedacq.com
uppyviajwu.com
azhexmards.com

Below there is the HiJackThis log with the malware traces:

O17 – HKLM\System\CCS\Services\Tcpip\..\{B84DA37B-654A-4425-ACA3-DE03D2022067}: NameServer = 85.255.116.74;85.255.112.167
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167

We can see that the malware change the Tcpip Parameters and everytime you visit a site you will send traffic to these IPs:

1 2	85.255.116.74 85.255.112.167

Fyyre has unpacked the rootkit driver and we can extract interesting strings from the code:

msqpdx
%s%s%s
\systemroot\system32\drivers\msqpdxserv.sys
\systemroot\system32\msqpdxl.dll
file system
\\?\globalroot
iexplore.exe
firefox.exe
svchost.exe
msqpdxl.dll
NtFlushInstructionCache
LoadLibraryExA
chkdsk.exe
System
TDL2 Loaded
%.*S
ntoskrnl.exe
hal.dll
ExAllocateFromPagedLookasideList
KeI386GetLid
IoDeviceHandlerObjectSize
RtlxAnsiStringToUnicodeSize
InbvSolidColorFill
tolower
READ_PORT_UCHAR
HalReportResourceUsage
HalAllocateAdapterChannel
HalInitSystem
HalGetBusData
IoSetPartitionInformation
HalAllocateCrashDumpRegisters
HalGetInterruptVector
HalReadDmaCounter
\registry\machine\system\currentcontrolset\services\msqpdxserv.sys\modules
\registry\machine\system\currentcontrolset\services\msqpdxserv.sys
\registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv\0000\control
\registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv\0000
\registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv
start
type
mgroup
imagepath
msqpdx
\registry\machine\software\msqpdx\injector
l*\KERNEL32.DLL
*\NTDLL.DLL
\registry\machine\software\msqpdx\disallowed
registry\machine\software\msqpdx\trusted
\registry\machine\software\msqpdx\connections
\FileSystem\FltMgr
*\msqpdx*
*\TEMP\msqpdx*
\filesystem\fastfat
\filesystem\ntfs
\driver\tcpip
\driver\ftdisk
\driver\volsnap
iexplore.exe
ntdll.dll
kernel32.dll

How to remove Trojan DNSChanger.gen ?

1] Boot in Safe Mode (F8)

2] Find and delete all the files related to the trojan, in my case:

%User%\LOCALS~1\Temp\jah30006.exe
C:\autorun.inf
C:\Program Files\homeview
C:\Program Files\homeview\Uninstall.exe
%User%\Start Menu\Programs\homeview\Uninstall.lnk
C:\resycled\boot.com
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys
C:\WINDOWS\system32\msqpdxosvnnrse.dll

3] Remove the hijacked Tcpip Parameters in the registry:

1 2	HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167 HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167

4] Remove the registry keys created by the malware:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msqpdxvx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys

If the registry keys related to the rootkit driver cannot be deleted with regedit.exe use regedt32.exe (suggested by Simon).