TSPY_PAKES
Renos, Zlob, DNSChanger
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
Spotted since 2006, PAKES malware has been involved in some incidents wherein it is downloaded bundled with other malware. PAKES was also bundled in a spam delivery notification that led to the download of several malware in 2008.
PAKES is designed to change the DNS settings of the network router. This is done to redirect network traffic to malicious websites. In effect, money is indirectly stolen by cybercriminals, as the traffic intended for legitimate sites are redirected to other sites.
TECHNICAL DETAILS
Yes
Installation
This spyware drops the following file(s)/component(s):
- %System%\spool\prtprocs\w32x86\{random}.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %User Temp%\tmp{random characters}.tmp
- %User Temp\{random 5 letters}
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Other Details
This spyware connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.186.237/index.php
- http://{BLOCKED}riverart.com/bskcua.php
- http://{BLOCKED}tmuseum.com/fakbwq.php