Shopperz alters dnsapi.dll | Malwarebytes Unpacked
jeudi 3 septembre 2015 à 14:32GuiGui's Show - Liens
« The next thing the Trojan does is copy the users’ hosts file and add a couple of lines at the top.
It then stores this altered copy in a different location, making sure that the length of the string showing the location inside the system32 folder is 18, exactly the same as the length of “\drivers\etc\hosts”. In my removal guide it was “\idhk\jec\ivot.dat” but “\spp\store\hst.dat” was another one we found often, which seemed convenient as that is placed in an existing folder.
Why is the length of the string important? Well, that is to facilitate the next part of this scheme. The Trojan then replaces your dnsapi.dll files (all of them) with a patched copy. The size of that copy will be the same as the original because of the identical length of the string.
This patched copy points to the altered hosts file, making the hijack complete. »
Excellent :o
(Permalink)
« The next thing the Trojan does is copy the users’ hosts file and add a couple of lines at the top.
It then stores this altered copy in a different location, making sure that the length of the string showing the location inside the system32 folder is 18, exactly the same as the length of “\drivers\etc\hosts”. In my removal guide it was “\idhk\jec\ivot.dat” but “\spp\store\hst.dat” was another one we found often, which seemed convenient as that is placed in an existing folder.
Why is the length of the string important? Well, that is to facilitate the next part of this scheme. The Trojan then replaces your dnsapi.dll files (all of them) with a patched copy. The size of that copy will be the same as the original because of the identical length of the string.
This patched copy points to the altered hosts file, making the hijack complete. »
Excellent :o
(Permalink)