dnsChange virus

[David H. Lipman]

Re: dnsChange virus SOLVED...

From: "Leythos"


| If you had disabled UPNP, not used the default network subnet, not used
| the default password or not provided the password to some program, it
| could not have changed it.

| Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router,
| change the password, update the firmware if possible.


Flashing the FirmWare is not needed.

As of yet, I have not heard of uPnP or other protocols being used to bypass authentication
at TCP port 80. This trojan uses a luandry list of known default passwords.

I don't think that changing the default IP address would help. Lets assume that you did
and the default password was still in place. Nodes getting a DHCP lease would obtain the
IP address of the Router and the trojan would still exploit the weak and known password.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Leythos]

Re: dnsChange virus SOLVED...

In article ,
DLipman~nospam~@Verizon.Net says...
> From: "Leythos"
>
>
> | If you had disabled UPNP, not used the default network subnet, not used
> | the default password or not provided the password to some program, it
> | could not have changed it.
>
> | Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router,
> | change the password, update the firmware if possible.
>
>
> Flashing the FirmWare is not needed.
>
> As of yet, I have not heard of uPnP or other protocols being used to bypass authentication
> at TCP port 80. This trojan uses a luandry list of known default passwords.
>
> I don't think that changing the default IP address would help. Lets assume that you did
> and the default password was still in place. Nodes getting a DHCP lease would obtain the
> IP address of the Router and the trojan would still exploit the weak and known password.

My suggestions date back ages. The malware, in the older days, would use
the default subnet of 192.168.0.1 and 192.168.1.1 to attempt connections
and then use the default passwords.

Some tools like AOL use to publish would ask for the password and then
configure the router - I had read about that being exploited because of
UPNP.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

[Kayman]

Re: dnsChange virus SOLVED...

On Sun, 16 Nov 2008 23:33:50 -0500, Leythos wrote:

> In article ,
> DLipman~nospam~@Verizon.Net says...
>> From: "Leythos"
>>
>>
>>| If you had disabled UPNP, not used the default network subnet, not used
>>| the default password or not provided the password to some program, it
>>| could not have changed it.
>>
>>| Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router,
>>| change the password, update the firmware if possible.
>>
>>
>> Flashing the FirmWare is not needed.
>>
>> As of yet, I have not heard of uPnP or other protocols being used to bypass authentication
>> at TCP port 80. This trojan uses a luandry list of known default passwords.
>>
>> I don't think that changing the default IP address would help. Lets assume that you did
>> and the default password was still in place. Nodes getting a DHCP lease would obtain the
>> IP address of the Router and the trojan would still exploit the weak and known password.

> My suggestions date back ages. The malware, in the older days,...

LOL!

 

[Leythos]

Re: dnsChange virus SOLVED...

In article ,
kaymanDeleteThis@operamail.com says...
> On Sun, 16 Nov 2008 23:33:50 -0500, Leythos wrote:
>
> > In article ,
> > DLipman~nospam~@Verizon.Net says...
> >> From: "Leythos"
> >>
> >>
> >>| If you had disabled UPNP, not used the default network subnet, not used
> >>| the default password or not provided the password to some program, it
> >>| could not have changed it.
> >>
> >>| Disable UPNP, change from 192.168.0.1 to 192.168.128.1 on the router,
> >>| change the password, update the firmware if possible.
> >>
> >>
> >> Flashing the FirmWare is not needed.
> >>
> >> As of yet, I have not heard of uPnP or other protocols being used to bypass authentication
> >> at TCP port 80. This trojan uses a luandry list of known default passwords.
> >>
> >> I don't think that changing the default IP address would help. Lets assume that you did
> >> and the default password was still in place. Nodes getting a DHCP lease would obtain the
> >> IP address of the Router and the trojan would still exploit the weak and known password.
>
> > My suggestions date back ages. The malware, in the older days,...
>
> LOL!
>
>

You make think it's funny, but there are people still being hacked by
it.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

[~BD~]

Re: dnsChange virus SOLVED...

Congratulations, Øyvind - I'll bet that you are pleased! ;-)

Btw - what is the equivalent English equivalent of your first name? I
discovered that Øyvind is from the Old Norse name Eyvindr, which was derived
from ey meaning "island" and vindr possibly meaning "victory" or "wind".
Just wondering.

Dave

 

[BoaterDave]

On 17 Nov, 03:02, "David H. Lipman"
wrote:
> From: "Øyvind Granberg"
>
> | The problem is that it changes the DNS entries in your wireless router, not
> | your ADSL router, and every time MBAM deleted registry entries, it reintated
> | them through the web pages those new DNS adresse pointed to.
>
> | See my latest reply to this thread and spred the word.
>
> Wired or wireles... NO DIFFERENCE!
>
> As I stated a SOHO Router.  SOHO -- Small Office Home Office.
>
> As I posted earlier, the DNSChanger injects a DLL into the Windows Spooler Service.   The
> Spooler Service is restarted and it communicates to the Router.  It doesn't make a
> difference if you are wred throufg a RJ45 Ethernet port or if you attached wirelessly.
> The Spooler Service is hijacked (so to speak) and communicates to the router such as
> 192.168.1.1   It will then use a dictionary of known passwords (or other methodology) to
> gain access to the Routers DNS entrries.  Once the DNSChanger modifies the DNS table of
> the Router any node that obtains an IP address from the Router via DHCP will gain the DNS
> entries the trojan has entered.  Thus *any* device that obtains a DHCP lease from the
> Router will be using the DNS entries the trojan has inserted.
>
> There are Routers that combine a DSL modem with a Router such as a a Westell 6100 and
> there are standalone Routers from DLink, Linksys, Netgear, etc.  All are affected IFF the
> user uses the manufacturers default password.
>
> As of yet, I have not heard of uPnP or protocols being used to bypass authentication at
> TCP port 80.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


Hello Daid H Lipman

This URL has recently come to my attention: http://www.ezlan.net/index.html#Wireless
Its title is 'Networking for Home & SOHO'

The ezlan.net site overall appears to have a great deal of useful
information, yet I have never happened upon it before. I should be
most grateful if you would confirm (or otherwise) that this is a
genuine site and not 'a wolf in sheep's clothing'.

If you do not know, I suspect you might know someone who does.

Thanks

Dave

--

 

[Øyvind Granberg]

Re: dnsChange virus SOLVED...

Well BD...

You've got it almost right.
In fact you've got it right.
But I like to use an interpretation of my name where Øy- is a rewrite or
modernization of old Norse Ey- meaning island.
The second part is -vind,as you mentioned derived from windr, meaning wind.
But the context of the name is probably the name of a warrior who swept
across the islands like a wind.
I think it sounds better! To be named after a warrior and not a breeze of
light air

There is, to my knowledge, a English equivalent, but the pronunciation is
very close to the Russian name Ivan.


--

Vennlig hilsen
Øyvind Granberg

tresfjording@live.no
www.tresfjording.com

"~BD~" skrev i nyhetsmeldingen:
ubTH4NaSJHA.4452@TK2MSFTNGP03.phx.gbl ...
> Congratulations, Øyvind - I'll bet that you are pleased! ;-)
>
> Btw - what is the equivalent English equivalent of your first name? I
> discovered that Øyvind is from the Old Norse name Eyvindr, which was
> derived from ey meaning "island" and vindr possibly meaning "victory" or
> "wind". Just wondering.
>
> Dave
>

 

[~BD~]

Re: dnsChange virus SOLVED...

I assumed that you meant that there is NO English equivalent.
Thanks for your explanation - I shall remember you as Ivan the Terrible!
Or maybe Oyvan ........... if said with an Irish lilt!

Dave

--


"Øyvind Granberg" wrote in message
news:2DD0C245-151A-4A3C-9FF6-6DA02686D74C@microsoft.com...
> Well BD...
>
> You've got it almost right.
> In fact you've got it right.
> But I like to use an interpretation of my name where Øy- is a rewrite or
> modernization of old Norse Ey- meaning island.
> The second part is -vind,as you mentioned derived from windr, meaning
> wind.
> But the context of the name is probably the name of a warrior who swept
> across the islands like a wind.
> I think it sounds better! To be named after a warrior and not a breeze of
> light air
>
> There is, to my knowledge, a English equivalent, but the pronunciation is
> very close to the Russian name Ivan.
>
>
> --
>
> Vennlig hilsen
> Øyvind Granberg
>
> tresfjording@live.no
> www.tresfjording.com
>
> "~BD~" skrev i nyhetsmeldingen:
> ubTH4NaSJHA.4452@TK2MSFTNGP03.phx.gbl ...
>> Congratulations, Øyvind - I'll bet that you are pleased! ;-)
>>
>> Btw - what is the equivalent English equivalent of your first name? I
>> discovered that Øyvind is from the Old Norse name Eyvindr, which was
>> derived from ey meaning "island" and vindr possibly meaning "victory" or
>> "wind". Just wondering.
>>
>> Dave
>>