GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Is there a Trojan that changes XP DNS settings?

Probono · 05-06-2006, 05:33 PM

I have answered my own question
"This is why I recommend that most people simply re-format their PC when contaminated by most spyware. Note that all the software and settings listed below happened after two mouse clicks!

This morning, I examined a client's XP Professional PC. He'd accidentally clicked on and installed some spyware last Friday. He was on a Domain and had Power User credentials (big mistake). The same would happen to a non-Domain user who was logged in with Administrator rights (like 99.9% of home users).

Along with the spyware, he got the following:

His DNS settings were reset to a Russian DNS server.*
BackOrifice was installed.
Several Trojans that grab passwords were installed.
A fake antispyware application (UnSpyPC) was installed.
A Trojan that installs NEW spyware was installed.
Symantec Antivirus was disabled by a setting in the Registry.
Multiple spyware and trojan programs were installed as "Run at boot" programs in the Registry.

Routine scans caught the following:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

What a mess. Yuck.
We're copying data files to another PC and re-formatting.

hahahahaWHOIS results for 85.255.114.50 (the new DNS server)
hahahahaGenerated by www.DNSstuff.com
hahahahaLocation: Belarus
hahahahaInhoster hosting company
hahahahaOOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
----------------------------------------------------------------------------
*Pay close attention to the resetting of the DNS services. This is REALLY nasty. It works this way:

The client types in "www.wellsfargo.com" or "www.bankofamerica.com" in his browser (IE or whatever).
Instead of going to Qwest DNS server, his computer goes to the Russian DNS server to resolve the location of "www.wellsfargo.com" or "www.bankofamerica.com".
The Russian DNS server sends the browser to a FAKE Russian site and a fake bank's web site comes up in the browser (ANY browser) and offers to serve him, stealing his account information in the process.
There's NO way to know that you aren't in the 'real' site. You MANUALLY typed, "www.wellsfargo.com" in the browser, so you figure you are safe.

Would most people catch the DNS reassignment? The only reason I noticed it was that I couldn't access an INTERNAL company web site (http://Companyweb, hosted by the company's SBS 2003 server). The PC was able to resolve other PCs on the network (via NetBIOS) and the Russian DNS server pointed to external web sites just fine. But you'd NEVER know it when that Russian DNS server decided to send your next web request to a fake site."

05-06-2006, 05:33 PM
Probono Confirmed User Join Date: Oct 2002 Location: Under the Rainbow Posts: 2,731	I have answered my own question "This is why I recommend that most people simply re-format their PC when contaminated by most spyware. Note that all the software and settings listed below happened after two mouse clicks! This morning, I examined a client's XP Professional PC. He'd accidentally clicked on and installed some spyware last Friday. He was on a Domain and had Power User credentials (big mistake). The same would happen to a non-Domain user who was logged in with Administrator rights (like 99.9% of home users). Along with the spyware, he got the following: His DNS settings were reset to a Russian DNS server.* BackOrifice was installed. Several Trojans that grab passwords were installed. A fake antispyware application (UnSpyPC) was installed. A Trojan that installs NEW spyware was installed. Symantec Antivirus was disabled by a setting in the Registry. Multiple spyware and trojan programs were installed as "Run at boot" programs in the Registry. Routine scans caught the following: Microsoft's Malicious Software Removal Tool caught nothing. Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher)) Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications. HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans. What a mess. Yuck. We're copying data files to another PC and re-formatting. hahahahaWHOIS results for 85.255.114.50 (the new DNS server) hahahahaGenerated by www.DNSstuff.com hahahahaLocation: Belarus hahahahaInhoster hosting company hahahahaOOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine ---------------------------------------------------------------------------- *Pay close attention to the resetting of the DNS services. This is REALLY nasty. It works this way: The client types in "www.wellsfargo.com" or "www.bankofamerica.com" in his browser (IE or whatever). Instead of going to Qwest DNS server, his computer goes to the Russian DNS server to resolve the location of "www.wellsfargo.com" or "www.bankofamerica.com". The Russian DNS server sends the browser to a FAKE Russian site and a fake bank's web site comes up in the browser (ANY browser) and offers to serve him, stealing his account information in the process. There's NO way to know that you aren't in the 'real' site. You MANUALLY typed, "www.wellsfargo.com" in the browser, so you figure you are safe. Would most people catch the DNS reassignment? The only reason I noticed it was that I couldn't access an INTERNAL company web site (http://Companyweb, hosted by the company's SBS 2003 server). The PC was able to resolve other PCs on the network (via NetBIOS) and the Russian DNS server pointed to external web sites just fine. But you'd NEVER know it when that Russian DNS server decided to send your next web request to a fake site."