This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge.

The Registry key that is affected by this trojan is:
[HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces]
"NameServer"

It is an HTML page which contains Visual Basic Script. It is 1.4 kbytes in size. Once launched, the Trojan injects its code into the memory of the process which has the following mutex in the system registry:

{BD96C556-65A3-11D0-983A-00C04FC29E36}

The Trojan exploits a vulnerability in the ActiveX XMLHTTP component to download a file from the following URL: 

http://www.***fch.com/admin/picimg/qq.exe

The DNSChanger trojan is usually a small file (about 1.4 kilobytes) that is designed to change the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim’s computer will contact the fake assigned DNS server to resolve names of different webservers.

The Trojan exploits a vulnerability in the “ADODB.Stream” ActiveX component to save the file to the current user’s Windows temporary directory as “svchost.exe”: %Temp%\svchost.exe
The Trojan then creates a file called “svchost.vbs” in the current user’s temporary directory: %Temp%\svchost.vbs

ALIAS:  Trojan.Win32.DNSChanger, DNS Changer