Desktop DNS settings suspiciously changed pointing to Internet sites

Someone reported in NTBugtraq that the DNS server settings on their desktops are getting changed to point to 2 IP addresses on the Internet (216.127.92.38 and 69.51.146.14).

It has affected W2K Pro workstations and Registry entries have been added/changed. One interesting one is:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]
"r0x"="your s0x"

Has anyone else seen this? I'm concerned...ok maybe paranoid :eek: (call me that if you want)...that this maybe a new worm/virus. :mad:

No, your not paranoid, windows operating systems are largely insecure, and new worms/virus are being released everyday.

My problem with M$ products, is that, regardless of how secure you attempt to make it, it's still unsecure, and I'm saying this as an MCSE. Mircrosoft products suck. You always have to install 3rd party addons to keep your system relatively secure. I think the best way to secure a windows machine, is to remove the network card, and unplug the keyboard. lol

Any other opinions in the matter?


--PuRe

This is a spyware problem easily fixed with Spybot S&D. I have had about 10 calls about this today...

http://security.kolla.de/

EDIT: As it seems right now, there are several variations of this thing out there. The one we have points to NS1.AOL.COM and can be removed with Spybot. The others are not responding to this approach.

We just found one PC infected with this in-house and am currently combing through it. An updated Spybot S&D on the machine itself hasn't detected it, neither had Adaware. It had 69.57.146.14 as the DNS server.

thehorse13: what's the name of this critter?

We have found the registry entries along with a strange INI file and there are reports on NTBugtraq that a web site causes a program to be downloaded, run, and then deleted. Yeh, nothing new I know but so far dont know what this thing is.

More to come...

The Full Disclosure mailing list has indicated this is the Qhosts-1 worm/trojan.

SANS had a decent writeup on this here (work in progress):

http://isc.sans.org/diary.html?date=2003-10-01

MsMittens is right: Network Associates is calling it Qhosts-1.

It changes DNS setting AND the hosts file. It does this through exploiting the object type vulnerability Microsoft patched with MS03-032.

I've read that the MS patch doesn't work and MS is working on a re-issue...anyone know more on this? Supposedly turning off Active-X is the only way to protect against this at this time (until fixed patch is released) - per this article.

Ugh, Microsoft!

I thought that the correct patch was MS03-040. I actually got called out to clean a machine that was infected with this this week. Here's the info I found on SARC:
http://securityresponse.symantec.com...an.qhosts.html

MS03-040 DOES patch this vulnerability properly. As I stated in my earlier post the trojan exploits the vulnerability MS originally tried to patch in MS03-032 but that patch didn't work.

We are deploying the MS03-040 patch throughout our enterprise due to the ease of exploitation and severity.

Hope your deployment is going well.