McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• ~Win32/DNSChanger.R (Eset)

• Trj/DNSChanger.Y (Panda)

• Trojan.DNSChanger.U (Softwin)

Characteristics

When program is run (usually by user executing the file), the file would copy itself to:

• %SYSTEMROOT%\SYSTEM32\HGQHP.EXE

and removes itself from the directory it originally existed in. The program would also do some modifications to the Windows Registry (changing DNS entries).

Then, the program will launch Internet Explorer (IEXPLORE.EXE) to download some files from:

• 195.95.218.100

This includes a VBS script (with a JPG file extension) that is detected as VBS/Psyme trojan and it trys to download an HTML file that includes the JS/Exploit-HelpXSite trojan.

Symptoms

• Presence of the file:
  • %SYSTEMROOT%\SYSTEM32\HGQHP.EXE
• Having DNS entries in any of your network adaptors with the values:
  • 85.255.112.132
  • 85.255.113.13
• Finding traffic targeting:
  • 195.95.218.100

Method of Infection

User interaction is required to execute this trojan.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Additional Steps:

Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. After doing the required changes, you will be prompted with a message box similar to the following:

To do a complete recovery, some modifications are required to the Windows Registry, restoring the keys to their original values. The interface settings modified are within the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\Interfaces

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• ~Win32/DNSChanger.R (Eset)

• Trj/DNSChanger.Y (Panda)

• Trojan.DNSChanger.U (Softwin)

Characteristics

Characteristics -

When program is run (usually by user executing the file), the file would copy itself to:

• %SYSTEMROOT%\SYSTEM32\HGQHP.EXE

and removes itself from the directory it originally existed in. The program would also do some modifications to the Windows Registry (changing DNS entries).

Then, the program will launch Internet Explorer (IEXPLORE.EXE) to download some files from:

• 195.95.218.100

This includes a VBS script (with a JPG file extension) that is detected as VBS/Psyme trojan and it trys to download an HTML file that includes the JS/Exploit-HelpXSite trojan.

Symptoms

Symptoms -

• Presence of the file:
  • %SYSTEMROOT%\SYSTEM32\HGQHP.EXE
• Having DNS entries in any of your network adaptors with the values:
  • 85.255.112.132
  • 85.255.113.13
• Finding traffic targeting:
  • 195.95.218.100

Method of Infection

Method of Infection -

User interaction is required to execute this trojan.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Additional Steps:

Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. After doing the required changes, you will be prompted with a message box similar to the following:

To do a complete recovery, some modifications are required to the Windows Registry, restoring the keys to their original values. The interface settings modified are within the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\Interfaces

Variants

Variants -

N/A