NAI has this as QHosts-1, and says MS03-032 does NOT protect against it: http://vil.nai.com/vil/content/v_100719.htm
Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: Joe Stewart [mailto:[EMAIL PROTECTED] > Sent: 01 October 2003 21:34 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Mystery DNS Changes > > > On Wednesday 01 October 2003 03:19 pm, Hansen, Kevin wrote: > > We have seen multiple instances where DHCP enabled workstations have > > had their DNS reconfigured to point to two of the three addresses > > listed below. Can anyone else confirm this? Incidents.org is > > reporting an increase in port 53 traffic over the last two days. Are > > we looking at the precursor to the next worm? > > > > 216.127.92.38 > > 69.57.146.14 > > 69.57.147.175 > > The top DNS server change was made by a newer variant of the > Delude/Startpage trojan. It used to add bogus entries in the > system32\drivers\etc\hosts file, but lately has begun to change the > user's DNS registry settings as well. It hijacks the user's > traffic to > and from major search engines, redirecting it to a single webserver > under the control of the trojan author. Any requested search > pages have > popup ads for gambling/porn site registration, presumably because the > trojan author is getting money for registrations via affiliate > programs. > > It is being installed via the MS03-032 IE object tag exploit. > A scan of > the system may not turn up any infected files - this trojan does not > run at startup, and deletes its files after the DNS/hosts > configuration > changes are complete. > > -Joe > > -- > Joe Stewart, GCIH > Senior Security Researcher > LURHQ Corporation > http://www.lurhq.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html