DNSMessenger

Posted by Lisa Blanc on May 21, 2019

What is DNSMessenger?

DNSMessenger is a malicious computer infection that can be employed by other threats to download additional malware programs onto the target system. This Trojan works without any additional files, so it might not be easy to notice that something is wrong. In fact, you may not notice that until it is too late and your system is infected with many other programs. Hence, you should run regular system scans with a licensed antispyware program that would help you detect and remove DNSMessenger immediately. You will find the manual removal instructions at the bottom of this description, but if you do not want to deal with that on your own, you can always invest in a security tool.test

Where does DNSMessenger come from?

As far as our researchers have found, DNSMessenger is a file-less bot. It means that it doesn’t drop any additional files when it enters your system. Another thing about this Trojan is that users tend to install it on their systems themselves. It is a common feature when it comes to Trojans, because they tend to trick users into thinking they are about to install some useful application, but it turns out to be a malicious infection.

Our research team says that DNSMessenger spreads through phishing emails. Phishing emails often look like legitimate emails from reliable parties, but they come with an urgent message, and the user is forced to take action, to react to that message. Most of the time, reacting to the message involves opening the file that has come with the email.

The phishing email that delivers DNSMessenger comes with a fake MS Word document. It looks like your regular MS Word file, but it has a macro. Normally, MS Office disables macros thus protecting users from malicious exploitations, but the file that delivers DNSMessenger has the McAfee Logo on it, and it says that “this document has been secured by McAfee, to view this Protected Document, click Enable Content.” By clicking “Enable Content,” users enable macros, and thus the malicious program can run properly.

What does DNSMessenger do?

The enabled malicious macro opens a VBA script. That script executes WMI (Windows Management Instrumentation), which allows the infection to pass the obfuscated code to PowerShell, and then the infection is launched properly. The PowerShell script then checks if the user, who is currently logged on, has administrator privileges. If the account does have the privileges, the script creates a point of execution in the following Registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Depending on which version of PowerShell is used, DNSMessenger might create an alternative data stream (ADS) in the %PROGRAMDATA% directory (%PROGRAMDATA%\Windows\kernel32.dll. If the system has an older PowerShell, the infection creates additional registry value “kernel32.” Aside from that, it also creates the “kernel32” task file.

When the program is set and running, it uses DNS records from encoded domains to execute further commands. Depending on who might be using this infection, the executed commands may differ. However, it is clear that DNSMessenger opens a backdoor on the affected system, which would allow cybercriminals to download more dangerous infections if they know how to employ this Trojan.

In the worst-case scenario, you could be infected with ransomware or other crippling program, and then you would have to work hard to restore your files. Therefore, before any of that happens, you should do yourself a favor and remove DNSMessenger from your system.

How do I remove DNSMessenger?

As mentioned, it might be hard to notice that you have this Trojan on your system. That is why regular computer scans with a security tool of your choice is a must. You can always set a default Windows security program or some third-party application to scan your system regularly. Not to mention that if you have DNSMessenger on-board, the chances are that you have many other unwanted programs, too. Please bear in mind that malware tends to travel in packs.

Now, you can always terminate this Trojan manually, but it requires a lot of rummaging around your system. If you are not a fan of manual malware removal, you can invest in a powerful antispyware program that will remove DNSMessenger and other potential threats from your system no questions asked.

Manual DNSMessenger Removal

  1. Press Win+R and the Run prompt will open.
  2. Type %PROGRAMDATA%into the Open box and click OK.
  3. Open the Windows folder and remove the kernel32.dll file.
  4. Press Win+R and type %Windir%. Click OK.
  5. Look for kernel32 tasks in these directories:
    System32/Tasks
    Tasks
  6. If the kernel32 tasks are there, delete them.
  7. Press Win+R again and type regedit. Click OK.
  8. Navigate to these registries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  9. Find and delete the Trojan values (including kernel32).
  10. Close Registry Editor and remove the most recently downloaded files.
  11. Use SpyHunterto perform a full system scan. 100% FREE spyware scan and
    tested removal of DNSMessenger*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *