<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Hansen, Kevin
[mailto:kevin.hansen@thomson.com] <BR><B>Sent:</B> Wednesday, October 01, 2003
2:19 PM<BR><B>To:</B> 'full-disclosure@lists.netsys.com'<BR><B>Subject:</B>
[Full-Disclosure] Mystery DNS Changes<BR><BR></FONT></DIV>
<P><FONT face=Arial size=2>We have seen multiple instances where DHCP enabled
workstations have had their DNS reconfigured to point to two of the three
addresses listed below. Can anyone else confirm this? Incidents.org is
reporting an increase in port 53 traffic over the last two days. Are we
looking at the precursor to the next worm?</FONT></P>
<P><FONT face=Arial size=2>216.127.92.38</FONT> <BR><FONT face=Arial
size=2>69.57.146.14</FONT> <BR><FONT face=Arial
size=2>69.57.147.175</FONT> <SPAN class=728292421-01102003><FONT
face=Arial color=#0000ff size=2> </FONT></SPAN></P>
<P><SPAN class=728292421-01102003></SPAN> </P>
<P><SPAN class=728292421-01102003><FONT face=Arial color=#0000ff
size=2>According to McAfee:</FONT></SPAN></P><SPAN
class=728292421-01102003><FONT size=2>
<P>This is the QHosts-1 trojan </FONT><A
href="http://vil.nai.com/vil/content/v_100719.htm"><U><FONT color=#0000ff
size=2>http://vil.nai.com/vil/content/v_100719.htm</U></FONT></A></P>
<P> <!-- Converted from text/plain format --></P>
<P><FONT size=2>Paul Schmehl (pauls@utdallas.edu)<BR>Adjunct Information
Security Officer<BR>The University of Texas at Dallas<BR>AVIEN Founding
Member<BR><A
href="http://www.utdallas.edu/~pauls/">http://www.utdallas.edu/~pauls/</A>
</FONT></SPAN></P></BLOCKQUOTE></BODY></HTML>
�