DNSCHanger Malware Removal - Notes Show All (Internet goes dark March 8)
February 23, 2012 - bluecollarpc
https://bluecollarpcwebs.wordpress.com/2012/02/23/dnschanger-malware-removal-not\
es-show-all-internet-goes-dark-march-8/
DNSCHanger Malware Removal - Notes Show All (Internet goes dark March 8)
BELOW IS MOST OF WHAT THE AVIRA TOOL IS DOING WITH A CLICK ..
Tool available for those affected by the DNS-Changer
http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199
The Truth About the March 8 Internet Doomsday
http://www.pcworld.com/article/250296/the_truth_about_the_march_8_internet_dooms\
day.html#tk.nl_spx_t_cbintro
US-CERT Current Activity - DNSChanger Malware
http://www.us-cert.gov/current/index.html
http://www.us-cert.gov/current/index.html#operation_ghost_click_malware
Hi all... one area that is common with this area of malware changes is malware
getting into the PC and changing "Hosts Files" for a redirect usually to more
malicious websites for nefarious reasons. There are more key words for search
such as "IP Spoofing" and "DNS Cache Poisoning" ..
http://www.webopedia.com/TERM/I/IP_spoofing.html
http://en.wikipedia.org/wiki/DNS_cache_poisoning
This is off the cuff but from years of experience with the "badware" as it is
sometimes called for a universal term covering all and all they do. I am
throwing an educated guess at the payload involved and may even involve some
variants or residuals on individual basis per handfuls here and there of
hundreds to thousands of personal computers. A Botherder or Botmaster is a
Command and Control console type arrangement the culprit (s ) runs and attempts
clandestine contact to infected computers that can go into the millions - but to
partially set some aside to test out how their malware payload is holding up
against detection. They may have purposely infected the handfuls with variants
of the payload in an attempt to resurrect the whole episode all over again. They
(cyber criminals) have become very, very sophisticated anymore. Any phrase like
"doomsday" today can actually be no exaggeration anymore.
The measures taken here by the FBI et al are unprecedented and on the scale of
"State Sanctioned". It has been obviously a measure not only to attempt
correction and for protection of all infected computers and their users private
data - but to keep internet commerce itself alive, as the loss of millions would
obviously have a large effect.
I admittedly only perform some amateur forensics and would need probably days
upon days upon days to do a write up for full manual removal and correction of
an affected system. I most likely could find the actual payload, as there are
handfuls of company online search engines for just that. But, if one has a
little savvy and wants to attempt further manual removal of the malware to avoid
cost at a PC Repair Shop - here are some tips. Mind you, in this case a Shop
will obviously advise to reinstall Windows after completely wiping (erasing) the
disk first - a common automatic procedure with a Windows CD/DVD or if you have
made an Emergency CD Repair CD/DVD. (I would advise do NOT hit "Repair" but go
ahead and back up all files first you wish to save and the completely reinstall
Windows and THEN also scan the backed up files for malware before reinstalling
to the PC now in Factory Fresh condition. )
REVIEW THIS FOR HOSTS FILES..
Blocking Unwanted Parasites with a Hosts File
http://winhelp2002.mvps.org/hosts.htm
(In other words in this area you are looking for how to Restore your Hosts
Files before infection that changed them.)
How can I reset the Hosts file back to the default?
http://support.microsoft.com/kb/972034
MICROSOFT FIX IT TOOL ***** HOSTS FILES
ALSO..
How to reset Internet Protocol (TCP/IP)
http://support.microsoft.com/kb/299357
A Point of Entry and Attack is the firewall that may even have been
circumvented.
Tunneling to circumvent firewall policy
http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall\
_policy
You may want to uninstall it and clean up left over files and registry
entries (Registry Cleaner) . Here is about the best and indeed they have finally
released a free home version ..
PowerTools Lite 2011 [Genuine Freeware]
- The Freeware Registry and System Cleaner
http://www.macecraft.com/powertoolslite2011/
(Which is of course by the famous jv16 PowerTools - by far the top recommended
for a decade, about. )
YUCK. one more area to review..
TCP reset attack
From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/TCP_reset_attack
Bottom line..Above was posted for review, and hastily, if there are still
problems and if need be to mention in the event of a necessary trip to the PC
Repair Shop. Attempt recommended Avira Tool in these emails as advised. Check
out the US CERT links if needed or as double check after Avira clean up - there
is a link for detection at the FBI sight for anyone fearing infection I believe.
(Avira has consistently had one of the best detection/blocking/removal ratings
for years - visit VirusTotal).
AS I SUSPECTED THERE ARE MANY VARIANTS .. LIST (omg There are 23 variants
presently ! ! ! - (Absolutely a Shop will advise to reinstall Windows without
batting an eye)
*COMPUTER ASSOCIATES*
SOURCE / ONLINE SEARCH ENGINE AND TYPE IN "DNSChanger" as malware payload
look up.
CA Spyware Information Center (Search Engine)
http://www3.ca.com/securityadvisor/pest/
CA Spyware Information Center search engine (ComputerAssociates, makers of
PestPatrol and many security wares)
(*Malware search engine look up is top right)
SEARCH RESULTS: (hot links at results link for each below)
http://www.ca.com/us/search/default.aspx?q=dnschanger&sk=findthreat&backUrl=http\
%3A%2F%2Fwww.ca.com%2Fus%2Fspyware.aspx
1 DNSChanger B - CA Technologies Quick View
Description: DNSChanger B
Size: 36 KBDate: 01/09/20072 DNSChanger P - CA Technologies Quick View
Description: DNSChanger P
Size: 36 KBDate: 02/22/20123 DNSChanger P - CA Quick View
Description: DNSChanger P
Size: 50 KBDate: 11/20/20094 DNSChanger G - CA Technologies Quick View
Description: DNSChanger G
Size: 37 KBDate: 02/19/20125 DNSChanger C - CA Technologies Quick View
Description: DNSChanger C
Size: 36 KBDate: 04/19/20076 DNSChanger S - CA Technologies Quick View
Description: DNSChanger S
Size: 36 KBDate: 02/22/20127 DNSChanger U - CA Technologies Quick View
Description: DNSChanger U
Size: 36 KBDate: 01/29/20108 DNSChanger T - CA Technologies Quick View
Description: DNSChanger T
Size: 36 KBDate: 01/29/20109 DNSChanger M - CA Technologies Quick View
Description: DNSChanger M
Size: 36 KBDate: 02/21/201210 DNSChanger L - CA Technologies Quick View
Description: DNSChanger L
Size: 36 KBDate: 07/17/200911 DNSChanger - CA Technologies Quick View
Description: DNSChanger
Size: 36 KBDate: 06/14/200612 DNSChanger r - CA Technologies Quick View
Description: DNSChanger r
Size: 36 KBDate: 02/21/201213 DNSChanger I - CA Technologies Quick View
Description: DNSChanger I
Size: 36 KBDate: 02/20/201214 DNSChanger azf - CA Technologies Quick View
Description: DNSChanger azf
Size: 36 KBDate: 02/20/201215 DNSChanger H - CA Technologies Quick View
Description: DNSChanger H
Size: 36 KBDate: 02/19/201216 DNSChanger E - CA Technologies Quick View
Description: DNSChanger E
Size: 37 KBDate: 11/26/200717 DNSChanger D - CA Technologies Quick View
Description: DNSChanger D
Size: 37 KBDate: 02/19/201218 DNSChanger k - CA Technologies Quick View
Description: DNSChanger k
Size: 36 KBDate: 08/04/200819 DNSChanger A - CA Technologies Quick View
Description: DNSChanger A
Size: 36 KBDate: 07/29/200820 DNSChanger ayy - CA Technologies Quick View
Description: DNSChanger ayy
Size: 36 KBDate: 02/05/201221 DNSChanger arn - CA Technologies Quick View
Description: DNSChanger arn
Size: 36 KBDate: 03/11/200822 DNSChanger aum - CA Technologies Quick View
Description: DNSChanger aum
Size: 36 KBDate: 03/11/200823 DNSChanger F - CA Technologies Quick View
Description: DNSChanger F
Size: 37 KBDate: 02/19/2012
--->
BASIC PAYLOAD...
DNSChanger
Date Published:
Wednesday, June 14, 2006
Alias
W32/Backdoor.KGE [F-Prot Antivirus]
Overall Risk : HIGH
Category
Trojan: Any program with a hidden intent. Trojans are one of the leading
causes of breaking into machines. If you pull down a program from a chat
room, new group, or even from unsolicited e-mail, then the program is likely
trojaned with some subversive purpose. The word Trojan can be used as a
verb: To trojan a program is to add subversive functionality to an existing
program. For example, a trojaned login program might be programmed to accept
a certain password for any user's account that the hacker can use to log
back into the system at any time. Rootkits often contain a suite of such
trojaned programs.
Date of Origin
date of origin: Variants from September, 2009 to September, 2009
Operation
DNSChanger: at least DNSChangerKB
Files:
[tn]dnschanger.exe
2701526
hgqhp.exe
kdrgh.exe
virtue_7884154
kdrgh.exe
hgqhp.exe
[tn]dnschanger.exe
WEBMASTER /
http://www.bluecollarpc.us/
PS - a quality real time protection antimalware installed no doubt would have
blocked this infection and variants to date. Cyber Crime Units have about the
rest of all information needed no doubt by now with professional forensics
performed.
Posted in ANNOUNCE, BlueCollarPC WordPress Blog.
Tags: antispyware, antivirus, bluecollarpc blog, botherder, botmaster, botnet,
botnet infection, Computer Health, computer maintenance, Council of Europe
Treaty on Cybercrime, crimeware, cybercrime, DNSChanger, DNSChanger detect,
DNSChanger fix, DNSChanger remove, fix, Forensics, IDTheft, infection, novice
user, optimum performance, patch fix update, patches, pipelining, rogue,
security, security products, zombie, zombie network. Leave a Comment »
[Non-text portions of this message have been removed]
Offline 
Send Email