[Full-Disclosure] Mystery DNS Changes
Russell Fulton
r.fulton at auckland.ac.nz
Wed Oct 1 22:14:14 BST 2003
On Thu, 2003-10-02 at 08:04, Gary Flynn wrote:
> Hansen, Kevin wrote:
>
> > We have seen multiple instances where DHCP enabled workstations have had
> > their DNS reconfigured to point to two of the three addresses listed below.
> > Can anyone else confirm this? Incidents.org is reporting an increase in port
> > 53 traffic over the last two days. Are we looking at the precursor to the
> > next worm?
>
> This is currently being discussed on NTBUGTRAQ too.
This is the QHosts-1 trojan
http://vil.nai.com/vil/content/v_100719.htm
This information was posted to the Avien list about an hour ago by
Craig Schmugar, McAfee AVERT.
<advertisement> :)
If you want fast access to information on trojans and viruses Avien is
the place to be. Yes is costs but the membership fees are modest and
extremely good value.
www.avien.org
</advertisement>
--
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.
Full-Disclosure is hosted and sponsored by Secunia.