Trojan.DnsChange.19550

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...

Malicious functions

To complicate detection of its presence in the operating system,

modifies the following system settings:

DNS server to '<DNS_SERVER>'

Modifies file system

Creates the following files

Network activity

TCP

Other

'<DNS_SERVER>':53

UDP

DNS ASK microsoft.com

Miscellaneous

Executes the following

'<SYSTEM32>\cmd.exe' /c title Hitreg Network Optimizer by Slix
'<SYSTEM32>\cmd.exe' /c color 0B
'<SYSTEM32>\cmd.exe' /c cls
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 0xffffffff /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 0xffffffff /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NoLazyMode /t REG_DWORD /d 1 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NoLazyMode /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TCPNoDelay /t REG_DWORD /d 1 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TCPNoDelay /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpAckFrequency /t REG_DWORD /d 1 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpAckFrequency /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpDelAckTicks /t REG_DWORD /d 0 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpDelAckTicks /t REG_DWORD /d 0 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v MaxUserPort /t REG_DWORD /d 65534 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v MaxUserPort /t REG_DWORD /d 65534 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpTimedWaitDelay /t REG_DWORD /d 30 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpTimedWaitDelay /t REG_DWORD /d 30 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DefaultTTL /t REG_DWORD /d 64 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DefaultTTL /t REG_DWORD /d 64 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v GlobalMaxTcpWindowSize /t REG_DWORD /d 65535 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v GlobalMaxTcpWindowSize /t REG_DWORD /d 65535 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpWindowSize /t REG_DWORD /d 65535 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpWindowSize /t REG_DWORD /d 65535 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnablePMTUDiscovery /t REG_DWORD /d 1 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnablePMTUDiscovery /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SackOpts /t REG_DWORD /d 1 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SackOpts /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c netsh int tcp set global autotuninglevel=normal >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set global autotuninglevel=normal
'<SYSTEM32>\cmd.exe' /c netsh int tcp set global chimney=enabled >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set global chimney=enabled
'<SYSTEM32>\cmd.exe' /c netsh int tcp set global rss=enabled >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set global rss=enabled
'<SYSTEM32>\cmd.exe' /c netsh int tcp set global netdma=enabled >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set global netdma=enabled
'<SYSTEM32>\cmd.exe' /c netsh int tcp set global ecncapability=enabled >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set global ecncapability=enabled
'<SYSTEM32>\cmd.exe' /c netsh int tcp set global timestamps=disabled >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set global timestamps=disabled
'<SYSTEM32>\cmd.exe' /c netsh int tcp set global initialRto=2000 >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set global initialRto=2000
'<SYSTEM32>\cmd.exe' /c netsh int tcp set supplemental internet congestionprovider=ctcp >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set supplemental internet congestionprovider=ctcp
'<SYSTEM32>\cmd.exe' /c ipconfig /flushdns >nul 2>&1
'<SYSTEM32>\ipconfig.exe' /flushdns
'<SYSTEM32>\cmd.exe' /c ipconfig /registerdns >nul 2>&1
'<SYSTEM32>\ipconfig.exe' /registerdns
'<SYSTEM32>\cmd.exe' /c netsh winsock reset catalog >nul 2>&1
'<SYSTEM32>\netsh.exe' winsock reset catalog
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 0xFFFFFFFF /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 0xFFFFFFFF /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Psched" /v NonBestEffortLimit /t REG_DWORD /d 0 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Psched" /v NonBestEffortLimit /t REG_DWORD /d 0 /f
'<SYSTEM32>\cmd.exe' /c sc config "DoSvc" start= disabled >nul 2>&1
'<SYSTEM32>\sc.exe' config "DoSvc" start= disabled
'<SYSTEM32>\cmd.exe' /c sc stop "DoSvc" >nul 2>&1
'<SYSTEM32>\sc.exe' stop "DoSvc"
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f
'<SYSTEM32>\cmd.exe' /c netsh int tcp set heuristics disabled >nul 2>&1
'<SYSTEM32>\netsh.exe' int tcp set heuristics disabled
'<SYSTEM32>\cmd.exe' /c netsh int ip set global taskoffload=enabled >nul 2>&1
'<SYSTEM32>\netsh.exe' int ip set global taskoffload=enabled
'<SYSTEM32>\cmd.exe' /c netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
'<SYSTEM32>\cmd.exe' /c netsh interface ipv4 set subinterface "Wi-Fi" mtu=1500 store=persistent >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ipv4 set subinterface "Wi-Fi" mtu=1500 store=persistent
'<SYSTEM32>\cmd.exe' /c netsh interface ip set dns name="Ethernet" static 8.#.8.8 >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ip set dns name="Ethernet" static 8.#.8.8
'<SYSTEM32>\cmd.exe' /c netsh interface ip add dns name="Ethernet" 8.#.4.4 index=2 >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ip add dns name="Ethernet" 8.#.4.4 index=2
'<SYSTEM32>\cmd.exe' /c netsh interface ip set dns name="Wi-Fi" static 8.#.8.8 >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ip set dns name="Wi-Fi" static 8.#.8.8
'<SYSTEM32>\cmd.exe' /c netsh interface ip add dns name="Wi-Fi" 8.#.4.4 index=2 >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ip add dns name="Wi-Fi" 8.#.4.4 index=2
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v TCPNoDelay /t REG_DWORD /d 1 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v TCPNoDelay /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DefaultReceiveWindow /t REG_DWORD /d 65535 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DefaultReceiveWindow /t REG_DWORD /d 65535 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DefaultSendWindow /t REG_DWORD /d 65535 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v DefaultSendWindow /t REG_DWORD /d 65535 /f
'<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v FastSendDatagramThreshold /t REG_DWORD /d 65535 /f >nul 2>&1
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v FastSendDatagramThreshold /t REG_DWORD /d 65535 /f
'<SYSTEM32>\cmd.exe' /c ipconfig /release >nul 2>&1
'<SYSTEM32>\ipconfig.exe' /release
'<SYSTEM32>\cmd.exe' /c ipconfig /renew >nul 2>&1
'<SYSTEM32>\ipconfig.exe' /renew
'<SYSTEM32>\cmd.exe' /c netsh interface ipv4 set glob defaultcurhoplimit=64 >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ipv4 set glob defaultcurhoplimit=64
'<SYSTEM32>\cmd.exe' /c netsh interface ipv6 set glob defaultcurhoplimit=64 >nul 2>&1
'<SYSTEM32>\netsh.exe' interface ipv6 set glob defaultcurhoplimit=64

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial