Trojan:Win32/Dnschanger.AI is a trojan that monitors Web sites visited and logs information such as user accounts and passwords, which is then sent to a remote attacker. This trojan may also lower Internet security settings.
Installation
When Win32/Dnschanger.AI is run, it writes the following files:
<system folder>\wmedia32.exe - a copy of the trojan
%Temp%\removeme<random number>.bat - Batch script
The dropped Batch script is used to delete the executed malware file, and also runs a continuous ping to 0.0.0.0. The trojan is registered to run at each Windows start:
Adds value: WMedia32
With data: wmedia32.exe
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Bypass Firewall
This trojan may bypass an existing firewall application by adding itself as an allowed program.
Lowers Internet Security Settings
This trojan may lower Internet security settings in order to stop redirection notification, by modifying the following registry values:
Modifies value: WarningOnZoneCrossing
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Modifies value: WarnOnPost
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Win32/Dnschanger.AI may alter Internet Explorer options, disabling the auto-complete prompt, forcing a user to re-enter sensitive information. This action is directly related to trojan payload of logging of security details entered. The Internet Explorer option is altered via a registry modification.
Modifies value: AskUser
With data: 0
In subkey: HKEY_CURRENT_USER\Softwae\Microsoft\Internet Explorer\IntelliForms
Logs Sensitive Information
Trojan:Win32/Dnschanger.AI monitors Web sites visited, and logs information such as user accounts and passwords. This logged data is then sent out to a remote attacker.
