Left out an important word!!! Fwd:

Subject: Left out an important word!!! Fwd:
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Fri, 03 Oct 2003 13:04:46 -0400
Content-Type: multipart/alternative; boundary="=====================_75397953==.ALT"

X-Sieve: CMU Sieve 2.2
Date: Fri, 3 Oct 2003 12:46:34 -0400 (EDT)
From: Gary Stoneburner <gary.stoneburner@nist.gov>
To: Multiple recipients of list <sec-info@nist.gov>
Subject:

re: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci930281,00.html

"New details have emerged about a mysterious Trojan that has been changing domain name server settings on systems since yesterday. [Oct 1, 2003]"

"The Trojan is injected onto a system when IE links to a site hosted by Web host FortuneCity.com. When the malicious page is rendered, a series of pop-under pages are rendered by another Web host, EV1.net. One of those pop-unders from EV1.net downloads a file called aolfix.exe that infects the system with QHost."

"Once on a system, QHost first removes aolfix.exe. It also changes the DNS mapping for the computer, so all requests are routed through IP addresses determined by the Trojan's author. It also redirects popular search URLs such as google.com and altavista.com to a search site of the author's choosing. Users of infected systems may not even realize they have it. When they browse, their DNS requests will be returned but they will also get "a whole bunch of pornography and gambling pop-ups," said Russ Cooper, surgeon general at TruSecure Corp."

Note that according to the article the user being infected did NO MORE than browse a webpage. That user did NOT take any action to download a file.

I cannot vouch for the correctness of the information in the article and a search for QHOST on www.cert.org resulted in zero results. This does invalidate the article especially considering how recent the events are. Yet, as with all information, use appropriately :-).

This does NOT invalidate the article.

Oops!

cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: No Subject
Next by Date: China looks into Windows code
Prev by thread: China looks into Windows code
Next by thread: No Subject

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov