Desktop DNS settings suspiciously changed pointing to Internet sites
Someone reported in NTBugtraq that the DNS server settings on their desktops are getting changed to point to 2 IP addresses on the Internet (216.127.92.38 and 69.51.146.14).
It has affected W2K Pro workstations and Registry entries have been added/changed. One interesting one is:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]
"r0x"="your s0x"
Has anyone else seen this? I'm concerned...ok maybe paranoid :eek: (call me that if you want)...that this maybe a new worm/virus. :mad:
QHosts1 it is...it's a DNS-hijacking trojan
MsMittens is right: Network Associates is calling it Qhosts-1.
It changes DNS setting AND the hosts file. It does this through exploiting the object type vulnerability Microsoft patched with MS03-032.
I've read that the MS patch doesn't work and MS is working on a re-issue...anyone know more on this? Supposedly turning off Active-X is the only way to protect against this at this time (until fixed patch is released) - per this article.
Ugh, Microsoft!