DNSMessenger

If you do not want to fall victim to DNSMessenger, DO NOT open spam emails and the files attached to them. This fileless bot is spread using a misleading message with a file that is, allegedly, protected by McAfee, a well-known security tool. While nothing happens if the user opens the email message, if they enable the file as instructed, malware can be executed. A fileless bot is dropped, and it can use DNS records from encoded domains to execute malicious commands. Virtually any command could be executed, and that makes the attackers pretty much unpredictable. At the time of research, the attack was disabled due to a link not working, but we cannot guarantee that things would not change in the future. If your system was already infected, follow the DNSMessenger removal guide below, and use the removal tips presented in this report. If you are looking for tips on how to prevent malware from slithering into your operating system, you will find useful information if you keep reading as well.

DNSMessenger spreads via phishing emails, and the message has to look legitimate enough to trick targets into opening it. Due to this, everything starting with the subject line and ending with the name of the attached file is thoroughly considered. If you are tricked into clicking the attachment, a window with the McAfee Secure logo pops up. The message reads: “This document has been secured by McAfee To view this Protected Document, click Enable Content.” This is how the creator of DNSMessenger tricks gullible users into enabling macros. This leads to the opening of a malicious VBA script, which executes Windows Management Instrumentation (WMI) to open up a fileless backdoor. That means that no infection is dropped, but malicious commands can be executed. The WMI code is obfuscated and passed to PowerShell. Depending on whether or not the affected user is the system’s administrator, it creates points of execution in either HKEY_LOCAL_MACHINE (if admin) or HKEY_CURRENT_USER (if not admin) registries. The manual removal guide below shows how to delete these points of execution.

According to our virtual security experts, the fileless DNSMessenger malware can create an alternative data stream (ADM) using kernel32.dll in %PROGRAMDATA%\Windows\. That happens only if PowerShell is running on 3.0 or later versions. Otherwise, a registry value called “kernel32” is created along with the point of execution in the Windows Registry. The final element created by the threat is a task in either %WINDIR%\System32\Tasks\ or %WINDIR%\Tasks directory. The threat acts as a remote-access Trojan, and that means that it opens a backdoor that cyber criminals could use to do anything they want. Most likely, that would drop malicious files to execute more functional threats, and these could lead to big security problems. Employ a legitimate malware scanner immediately to check if you need only to delete DNSMessenger, or if there are other threats that require your attention. If other threats are detected, use the search field at the top to enter the names of these threats one by one to find appropriate removal guides. If you cannot find them, post a comment below.

You now know that opening spam emails can be dangerous, but did you know that there are plenty of other security backdoors that could be used to drop malicious threats? Protecting your operating system can be extremely tiresome and difficult, which is exactly why employing anti-malware software is our recommendation. As soon as it is installed, it will automatically delete DNSMessenger and all other active threats. Simultaneously, it will strengthen the protection of your operating system to ensure that it is not affected by dangerous threats in the future. If you choose not to invest in legitimate security software, you will need to handle the removal of DNSMessenger on your own. The guide below shows how to delete malicious components, but if you cannot find them all yourself, do not assume that you are safe because some are eliminated. If you need any kind of security-related help, do not hesitate to contact our research team via the comments section that is open to everyone.

DNSMessenger Removal

1. Delete recently downloaded suspicious files.
2. Tap Win+E keys to launch Windows Explorer.
3. Enter %PROGRAMDATA%\Windows\ into the field at the top.
4. Delete the file named kernel32.dll.
5. Enter %WINDIR%\System32\Tasks\ into the field at the top.
6. Delete the task created by the infection.
7. Enter %WINDIR%\Tasks into the field at the top and follow step 6.
8. Tap Win+R keys to launch the Run dialog box.
9. Enter regedit and click OK to access Registry Editor.
10. Delete all [unknown name] values representing the points of execution here:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    • HKEY_LOCAL_MACHINE \Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
11. Empty Recycle Bin to complete the removal.
12. Install and run a legitimate malware scanner to check for leftovers.