REPLY TO THREAD
|
Subject
|
WARNING****DNSchanger sounds fishy!! Here are a few tricks to check for infection.
|
User Name
|
|
|
|
|
Font color:
Font:
|
|
|
|
Original Message
|
DNS changers have been around for quite sometime (see examples below) Why is this variant and different? Why have the big hitters of antivirus been reporting on this one with a removal tool? Why would the FBI setup "Clean Servers" up and allow your traffic to still be redirected?
My guess is that they are collecting statistics on every pc that hits their servers. I would not go to that site to have anything checked. Those sites are contractor sites for the FBI/CIA/NSA. Chances that you are infected are pretty low. Just run malwarebytes or any other malware checker.
Check for it running via the netstat command. Open a command promt and type netstat -b look and see what connections you have that are connecting to foreign hosts.Run netstat -p udp to check for outbound udp connections for DNS port 53 to foreign hosts. Netstat -p tcp same as above. DNS should not be forwarding outside of your firewall to any outside source from your LAN IP. Check your hosts file for any writes to it as it will bypass all dns settings. That is all for now. This is just a suggestion but the whole thing seems fishy!
If this is a variant of the below trojans then they can be detected by up to date antivirus/malware checkers.
[link to www.symantec.com]
Discovered: April 25, 2005 Updated: February 13, 2007 12:37:53 PM Also Known As: Trojan.Win32.DNSChanger.a [Kas Type: Trojan Horse Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Trojan.Flush.C is a Trojan horse that modifies the DNS server settings on a compromised computer and redirects the browser to potentially malicious Web sites.
Antivirus Protection DatesInitial Rapid Release version April 25, 2005 Latest Rapid Release version April 25, 2005 Initial Daily Certified version April 25, 2005 Latest Daily Certified version April 25, 2005 Initial Weekly Certified release date April 27, 2005 Click here for a more detailed description of Rapid Release and Daily Certified virus definitions. Threat AssessmentWildWild Level: Low Number of Infections: 0 - 49 Number of Sites: 0 - 2 Geographical Distribution: Low Threat Containment: Easy Removal: Moderate DamageDamage Level: Low DistributionDistribution Level: Low
[link to www.f-secure.com] Trojan.Win32.DNSChanger.al Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to 193.227.227.218 address. The Registry key that is affected by this trojan is:
[HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces] "NameServer" .
Registry Modifications Creates these keys:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} NameServer = 85.255.xxx.133,85.255.xxx.xxx HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ NameServer = 85.255.xxx.xxx,85.255.xxx.xxx
|
Pictures (click to insert)
|
| | | | | | | | | | | | | | | | | | | | | | | | | Next Page >> |
|