|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 10/01/2003 4:29 PM |
|
| What is it
A new virus called "Delude" is changing user's DNS settings to point to a server that redirects popular sites to different sites than intended, and/or modifies their hosts file to accomplish the same task. Though this virus was released in early September we're starting to see some evidence of it in the wild .
What can you do
As always, updated virus signatures, a good internet firewall, and updating your critical updates from windowsupdate.microsoft.com will prevent this bug from ever affecting you.
Most updated virus signatures will detect this virus (see details below). The virus exploits a vulnerability in Internet Explorer that allows executables to run from a web page. The vulnerability is labeled by Microsoft as MS03-032. Anyone who's been keeping up with their critical updates should be already protected. Here's the web page describing the vulnerability and patch:
http://www.microsoft.com/security/security_bulletins/ms03-032.asp
There is one other step you can take to avoid the virus. This step is to set your hosts file to read-only .
The hosts file is found in different locations depending on operating system. On Windows XP/NT/2000 it is found in C:\WINDOWS\system32\drivers\etc directory. On Windows 9x it is found in c:\windows\ .
To set it to read-only find the file in explorer, right click on it, and choose PROPERTIES. Then check the box making it read-only and say "OK" to apply the change.
If you're already being redirected - it's too late to change the file to read-only. You need to open the file with notepad, delete all entries other than the one that says:
127.0.0.1 localhost
and save the file over the hosts file again. You can use NOTEPAD to open the file, but you'll need to set it to look for ALL files instead of just files with *.TXT in the name. If you are using Spybot's hosts file feature, reapply the spybot hosts file after you purge all the entries.
If somehow your DNS settings get changed this is more complicated to fix. If this happens, contact a computer technician who's familiar with your network to be sure that you have the correct settings for your network in your TCP/IP setup.
Other sources
http://www.europe.f-secure.com/v-descs/delude.shtml
|
|
|
|
|
Lee Drake
Posts:238
|
| 10/01/2003 10:33 PM |
|
| The virus that's going around seems to be a variant of the previously posted virus (the DELUDE) virus. It has slightly different characteristics in that it may adjust the registry key that points to your hosts file to point to a different location, and/or adjust your DNS settings in addition to changing the hosts file. This would mean that simply marking the host file read-only won't prevent this particular virus - it is simply installing a file elsewhere then redirecting the operating system to point there. As more information comes out we'll keep you updated. This virus DOES seem to exploit the MS03-032 vulnerability to get onto your system. IF that is patched and you have current virus software you should be ok as far as "automatic infection". Here's a reference to the McAfee website that details the info as it comes in about this virus:
http://vil.nai.com/vil/content/v_100719.htm
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St. Ste B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
Cell number: 585-509-0284
|
|
|
|
|
Lee Drake
Posts:238
|
| 10/01/2003 10:33 PM |
|
| It appears that this is actually a NEW vulnerability, which is not yet patched. There is a specific website that holds the code that implements this vulnerability. Visiting this website with Internet Explorer will almost certainly infect your machine. DO NOT under any circumstances visit a site, or click on a link to a site with "fortune" or "city" in the name. I purposefully did NOT put the name of the site in it's entirety here so that no one would accidentally (or out of curiosity) click to the name. If you put the two words above together and add .com you'll have the site address but DO NOT VISIT IT.
Visiting the site will install the Trojan horse. Since this is a new unpatched vulnerability, we can probably expect Microsoft to pounce on this with a patch pretty quickly. I'll keep you updated with when the patch is coming out. In the meantime, be especially careful of links and be sure not to visit sites with Fortune or City in their name.
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|