[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Mystery DNS Changes

To: Gary Flynn <flynngn@jmu.edu>
Subject: Re: [Full-Disclosure] Mystery DNS Changes
From: Russell Fulton <r.fulton@auckland.ac.nz>
Date: Thu, 02 Oct 2003 09:14:14 +1200

On Thu, 2003-10-02 at 08:04, Gary Flynn wrote:
> Hansen, Kevin wrote:
> 
> > We have seen multiple instances where DHCP enabled workstations have had
> > their DNS reconfigured to point to two of the three addresses listed below.
> > Can anyone else confirm this? Incidents.org is reporting an increase in port
> > 53 traffic over the last two days. Are we looking at the precursor to the
> > next worm?
> 
> This is currently being discussed on NTBUGTRAQ too.

This is the QHosts-1 trojan
http://vil.nai.com/vil/content/v_100719.htm

This information was posted to the Avien list about an hour ago by
Craig Schmugar, McAfee AVERT.

<advertisement> :)
If you want fast access to information on trojans and viruses Avien is
the place to be.  Yes is costs but the membership fees are modest and
extremely good value.

www.avien.org
</advertisement>
-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Mystery DNS Changes
  - From: "Hansen, Kevin" <kevin.hansen@thomson.com>
- Re: [Full-Disclosure] Mystery DNS Changes
  - From: Gary Flynn <flynngn@jmu.edu>

Prev by Date: Re: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT
Next by Date: Re: [Full-Disclosure] Mystery DNS Changes
Previous by thread: Re: [Full-Disclosure] Mystery DNS Changes
Next by thread: Re: [Full-Disclosure] Mystery DNS Changes
Index(es):
- Date
- Thread