Re: HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in HOSTS file

From: Sean Kornish (countzero67_at_HOTMAIL.COM)
Date: 10/01/03

Next message: Russ: "Re: HOSTS File Hijack/Changed DNS Entries"

Previous message: Ken Hoover: "Re: ICMP Ping and Group Policy Update"
In reply to: Edward Sullivan: "HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in HOSTS file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 1 Oct 2003 13:13:22 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

It is most likely this trojan:
http://www.europe.f-secure.com/v-descs/delude.shtml

Clean up your cookies, remove any erroneous entries in your hosts file, and
set it to read-only. Also, I would recommend downloading a copy of
HijackThis (http://www.tomcoyote.org/hjt/) and removing any possibly
malicious entries.

-Sean Kornish

----- Original Message -----
From: "Edward Sullivan" <esullivan@KMA.COM>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Thursday, September 25, 2003 3:59 PM
Subject: HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in
HOSTS file

http://www.tweakxp.com/readNews.aspx?id=2048

Has anyone else encountered this, and any news on what spyware application
or trojan is hijacking the hosts file? We have an infected system offsite,
and have used SpyBot, PestPatrol, and AdAware and none seem to detect the
culprit. NAV signatures are up to date, and do not detect it either.

A more detailed description of the symptoms can be found here:

http://forums.techguy.org/t165625/s5ec145a8ddc56bd0afb7ce46ecaaa70e.html

Ed Sullivan
Director of Information Technology
esullivan@kma.com <mailto:esullivan@kma.com>
KMA Direct Communications
Confidential and Proprietary

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----
-----
Wondering as to whether the list is running? The NTBugtraq archives are
updated first before messages are emailed to subscribers. Check the
archives first to see if you have missed any messages;
http://www.ntbugtraq.com/archives
-----

Next message: Russ: "Re: HOSTS File Hijack/Changed DNS Entries"

Previous message: Ken Hoover: "Re: ICMP Ping and Group Policy Update"
In reply to: Edward Sullivan: "HOSTS File Hijack - Search Engines redirect to 64.191.95.139 in HOSTS file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]