Re: HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in HOSTS file

From: Sean Kornish (countzero67_at_HOTMAIL.COM)
Date: 10/01/03

  • Next message: Russ: "Re: HOSTS File Hijack/Changed DNS Entries"
    Date:         Wed, 1 Oct 2003 13:13:22 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    It is most likely this trojan:
    http://www.europe.f-secure.com/v-descs/delude.shtml

    Clean up your cookies, remove any erroneous entries in your hosts file, and
    set it to read-only. Also, I would recommend downloading a copy of
    HijackThis (http://www.tomcoyote.org/hjt/) and removing any possibly
    malicious entries.

    -Sean Kornish

    ----- Original Message -----
    From: "Edward Sullivan" <esullivan@KMA.COM>
    To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
    Sent: Thursday, September 25, 2003 3:59 PM
    Subject: HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in
    HOSTS file

    http://www.tweakxp.com/readNews.aspx?id=2048

    Has anyone else encountered this, and any news on what spyware application
    or trojan is hijacking the hosts file? We have an infected system offsite,
    and have used SpyBot, PestPatrol, and AdAware and none seem to detect the
    culprit. NAV signatures are up to date, and do not detect it either.

    A more detailed description of the symptoms can be found here:

    http://forums.techguy.org/t165625/s5ec145a8ddc56bd0afb7ce46ecaaa70e.html

    Ed Sullivan
    Director of Information Technology
    esullivan@kma.com <mailto:esullivan@kma.com>
    KMA Direct Communications
    Confidential and Proprietary

    ----
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    ----
    -----
    Wondering as to whether the list is running? The NTBugtraq archives are
    updated first before messages are emailed to subscribers. Check the
    archives first to see if you have missed any messages;
    http://www.ntbugtraq.com/archives
    -----
    

  • Next message: Russ: "Re: HOSTS File Hijack/Changed DNS Entries"