CXmal/DNSCha-A

Category: Viruses and SpywareProtection available since:07 Mar 2012 21:06:34 (GMT)
Type: Malicious behaviorLast Updated:07 Mar 2012 21:06:34 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

CXmal/DNSCha-A detects registry modification made by a class of DNSChanger Trojans (for example, one  is detected as Troj/DNSChan-A). For more information, please see our blog article at http://nakedsecurity.sophos.com/2012/02/05/dns-changer-infrastructure-shutdown-is-a-good-thing/

Note: This detection will only trigger from a full system scan, either scheduled or on-demand.

Note 2: If your endpoint is not configured to use DHCP, manual cleanup (changing the DNS server settings) is required. Please manually change your DNS settings to point to the proper server for your organization or ISP. See http://support.microsoft.com/kb/305553.

The DNS changer family resets the DNS name server setting on windows computer for various network interfaces on the host machine. By modifying to following registry value:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<network interface id>\NameServer

 

CXmal/DNSCha-A exhibits the following characteristics:

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    hgqhp.exe
    C:\WINDOWS\system32\hgqhp.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92A284E9-43B2-406E-A24E-FCB05ACBAD8B}
    NameServer
    85.255.115.101,85.255.112.115
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2861B0F9-F1E8-4A1A-B9D5-08FB3E595B28}
    NameServer
    85.255.115.101,85.255.112.115
Processes Created
  • c:\windows\explorer.exe
  • c:\windows\system32\ipconfig.exe
IP Connections
  • 195.90:
  • 195.95.218.0:
  • 195.95.218.100:
  • 195.95.218.100=8:
  • 195.95.218.10:
  • 195.95.218.10=0x00:
  • 195.95.218.1:
  • 195.95.218.:
  • 195.95.218.=0:
  • 195.95.218.TO=ICMP:
  • 195.95.2180:
  • 195.95.218:
  • 195.95.218=0:
  • 195.95.21:
  • 195.95.21=0:
  • 195.95.21DE=0:
  • 195.95.21DE=0DE=0:
  • 195.95.21E=0:
  • 195.95.21ODE=0:
  • 195.95.2:
  • 195.95.2=0:
  • 195.95.:
  • 195.95.=0x00:
  • 195.95:
  • 195.9:
  • 195.9L=1:
  • 195.:
  • 19:
  • 1:
  • 1=0:
  • 1=0=0:
  • 1CMPMP:
  • 1PE=8YPE=8:
  • 1ROTOTO=ICMP:
  • 1YPETYPE=8:
  • =8:
  • HASH(0xb4b337e0):
  • TO=IOTO=ICMP:
  • TY:

Further information

There is more information about CXmal/DNSCha-A on the blog article DNS Changer infrastructure shutdown is a *good* thing.