J
Jonathan de Boyne Pollard
c> I'm having a strange problem [...]
c> [...] I looked my tcp/ip config and my dns servers were
c> set to something they shouldn't be! Usually it is on
c> automatically obtain. [...] The DNS addresses were:
c> 69.57.146.14 [and] 69.57.147.175
c> I did ipconfig /displaydns and wow, I had tons of entries!
c> It filled a .txt file with 66kb worth of entries [...]
c> Now the weird part, they are all search engines! [...]
c> My dns cache won't get rid of those addresses. [...]
c> The first time I rebooted it Windows complained about command.com [...]
You've been hit by the "Delude.B" trojan. This trojan uses a bug
in Microsoft's Internet Explorer (which, according to CERT Incident
Note IN-2003-04, has not been properly fixed) that allows web page
authors to write web pages that will cause Internet Explorer to
automatically download and execute whatever programs the web page
author desires. So at some point you've displayed a web page that
caused this trojan to be downloaded and run.
The trojan changes the proxy DNS servers that your DNS Client is
configured to use, to the addresses of two machines assigned to
Everyone's Internet which were discovered to have been compromised
and which have since been taken out of service. The intent of the
attacker was clearly to run a proxy DNS service providing
name->address mappings of his/her choosing, in order to impersonate
services without your being any the wiser.
The trojan also populates your "HOSTS" file with a large number
of entries, mapping the names of several widely used web sites to
an IP address whose content HTTP service the attacker intended to
control. The intent of the attacker was clearly, again, to
impersonate services without your being any the wiser. The fact that
these are search engines is not weird, therefore.
The reason that flushing the DNS Client cache does not cause these
mappings to go away is that Microsoft's DNS Client automatically
initially populates its cache from the content of the "HOSTS" file.
You must edit the "HOSTS" file itself for these mappings to go away.
The trojan does not stick around. It performs its task and then
deletes itself from the machine. Since running executables in Win32
cannot delete themselves, it does this by spawning a command
interpreter, passing it a command script containing commands to
delete both the executable and the script. My educated guess is
that the NTVDM process running COMMAND was caused by a witless novice
coding error on the part of the author of the trojan: hard-wiring
"COMMAND" as the name of the command interpreter that it invokes
instead of looking at the value of the %COMSPEC% environment
variable to find what command interpreter to use, as one should.
<URL:http://www.cert.org./incident_notes/IN-2003-04.html>
<URL:http://f-secure.com./v-descs/delude.shtml>
c> [...] I looked my tcp/ip config and my dns servers were
c> set to something they shouldn't be! Usually it is on
c> automatically obtain. [...] The DNS addresses were:
c> 69.57.146.14 [and] 69.57.147.175
c> I did ipconfig /displaydns and wow, I had tons of entries!
c> It filled a .txt file with 66kb worth of entries [...]
c> Now the weird part, they are all search engines! [...]
c> My dns cache won't get rid of those addresses. [...]
c> The first time I rebooted it Windows complained about command.com [...]
You've been hit by the "Delude.B" trojan. This trojan uses a bug
in Microsoft's Internet Explorer (which, according to CERT Incident
Note IN-2003-04, has not been properly fixed) that allows web page
authors to write web pages that will cause Internet Explorer to
automatically download and execute whatever programs the web page
author desires. So at some point you've displayed a web page that
caused this trojan to be downloaded and run.
The trojan changes the proxy DNS servers that your DNS Client is
configured to use, to the addresses of two machines assigned to
Everyone's Internet which were discovered to have been compromised
and which have since been taken out of service. The intent of the
attacker was clearly to run a proxy DNS service providing
name->address mappings of his/her choosing, in order to impersonate
services without your being any the wiser.
The trojan also populates your "HOSTS" file with a large number
of entries, mapping the names of several widely used web sites to
an IP address whose content HTTP service the attacker intended to
control. The intent of the attacker was clearly, again, to
impersonate services without your being any the wiser. The fact that
these are search engines is not weird, therefore.
The reason that flushing the DNS Client cache does not cause these
mappings to go away is that Microsoft's DNS Client automatically
initially populates its cache from the content of the "HOSTS" file.
You must edit the "HOSTS" file itself for these mappings to go away.
The trojan does not stick around. It performs its task and then
deletes itself from the machine. Since running executables in Win32
cannot delete themselves, it does this by spawning a command
interpreter, passing it a command script containing commands to
delete both the executable and the script. My educated guess is
that the NTVDM process running COMMAND was caused by a witless novice
coding error on the part of the author of the trojan: hard-wiring
"COMMAND" as the name of the command interpreter that it invokes
instead of looking at the value of the %COMSPEC% environment
variable to find what command interpreter to use, as one should.
<URL:http://www.cert.org./incident_notes/IN-2003-04.html>
<URL:http://f-secure.com./v-descs/delude.shtml>