No Subject

From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Fri, 03 Oct 2003 12:40:10 -0400
Content-Type: multipart/alternative; boundary="=====================_73922703==.ALT"

re: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci930281,00.html

"New details have emerged about a mysterious Trojan that has been changing domain name server settings on systems since yesterday. [Oct 1, 2003]"

"The Trojan is injected onto a system when IE links to a site hosted by Web host FortuneCity.com. When the malicious page is rendered, a series of pop-under pages are rendered by another Web host, EV1.net. One of those pop-unders from EV1.net downloads a file called aolfix.exe that infects the system with QHost."

"Once on a system, QHost first removes aolfix.exe. It also changes the DNS mapping for the computer, so all requests are routed through IP addresses determined by the Trojan's author. It also redirects popular search URLs such as google.com and altavista.com to a search site of the author's choosing. Users of infected systems may not even realize they have it. When they browse, their DNS requests will be returned but they will also get "a whole bunch of pornography and gambling pop-ups," said Russ Cooper, surgeon general at TruSecure Corp."

Note that according to the article the user being infected did NO MORE than browse a webpage. That user did NOT take any action to download a file.

I cannot vouch for the correctness of the information in the article and a search for QHOST on www.cert.org resulted in zero results. This does invalidate the article especially considering how recent the events are. Yet, as with all information, use appropriately :-).

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: Computer Science - needs to become a science :-)
Next by Date: Left out an important word!!! Fwd:
Prev by thread: Left out an important word!!! Fwd:
Next by thread: Computer Science - needs to become a science :-)

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov