Solved

Weird virus issue

Posted on 2011-09-04
7
633 Views
Last Modified: 2013-11-22
Shortly after plugging in an infected system to my linksys router (it had, what I though, just a fraudware program running), something strange happened.

Every device on our network, iphones, PC's and others could not get to the web. Upon opening the browser of any device and pointing to any website, I would get this message:

"Update your browser. This page does not support your version of browser
Please update your software."


The download button was to some EXE file updbrowser20110904.exe.

My LAN icon said local/private access only (no public or internet). Tried diagnosing and releasing/renewing. Tried powering off modem and router then powering back on, resetting factory settings, etc, no luck.

It wasn't until I unplugged the infected system from the router that things started to work again.

Anyone know what virus this is? MWB not showing anything locally on the system. It seems like the infected one pretended to be the router somehow and was forcing all other devices to go through it.

This was the source code of the website all devices would get directed to:


<html><head><meta name="copyright" content="(C) Bank of Nikolai. Look I have a pen !"><style type="text/css">body{font-family:verdana,helvetica;background-color:#ffffff;}td.logo{padding:10px;width:50px;}td.head{font-size:16px;color:#a07070;border-bottom:solid 1px #e0e0e0;width:400px;height:50px;}td.update{font-size:13px;color:#808080;padding-top:10px;}td.button{padding:10px}input{font-family:verdana,helvetica;font-size:12px;height:24px;}</style></head><body><table rows="3" cols="2"><tr><td valign="top" rowspan="3" class="logo"><img width="64px" height="64px" src="http://update.browser.com/update.jpg"></td><td class="head">Update your browser</td></tr><tr><td class="update">This page does not support your version of browser<br>Please update your software</td></tr><tr><td class="button"><form action="http://update.browser.com/download.php"><input type="submit" value="Browser update"></td></tr></form></table></body></html>


I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?


The "website" had a download to "updbrowser20110904.exe".
VirusTotal scan of the file: http://www.virustotal.com/file-scan/report.html?id=9d4ef7c4a8e9a4bc5df8a92e75d0c45e658b9721b9c2a45a7f084d4e1c023d38-1315089328
Only a few Google Results of the filename: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=updbrowser20110904.exe

Running a VM malwarebytes detected as Spyware.Passwords.XGen
0
Comment
Question by:garryshape
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Accepted Solution

by:
marcustech earned 100 total points
ID: 36481268
I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?

You'd really need to check the IP configuration and nslookup results on the systems to determine how this was done.  Usually it's a simple UPnP DNS poisoning on the gateway router, if it's something more then you would really have to run more diagnostics to find out what was happening to your web traffic.
0
 
LVL 20

Assisted Solution

by:n2fc
n2fc earned 100 total points
ID: 36481366
The virus probably infected  your router and at least messed the DNS settings (if not more)...

1) Unplug the infected PC and deal with it OFFLINE
2) Reset the router to FACTORY settings and attempt to reprogram it as needed
0
 
LVL 20

Expert Comment

by:n2fc
ID: 36481375
Another possibilty is that the infected computer is acting as a DHCP server on the network, usurping that function from your router...  and giving out the bad DNS settings.

1. Run a "ipconfig /all" on the affected computer(s).
2. Look at the "DHCP Server" entry and see if does not correspond to your router's IP. The IP will be of a local computer that is hosting the DHCP services.
3. Trace the IP to the bad DHCP server, REMOVE from network.
4. Run a "ipconfig /release" then a "ipconfig /renew" on the affected computer to obtain DHCP settings from the router.
5. Sanitize local computers as needed using the slew of utilities out there.

The bad DNS entry that we've seen is "188.229.88.7"
Add to local firewall or router restrictions
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Assisted Solution

by:younghv
younghv earned 100 total points
ID: 36481396
An infected router is definitely a possibility. Review the details in this EE Article for the details:
http://www.experts-exchange.com/A_5327.html - Infected Router - Google Search Redirects Even on a Clean System
0
 

Author Comment

by:garryshape
ID: 36481460
I'm not having the issue since I turned off/unplugged the infected PC.
Will fire it back up (unplugged from network) and run some follow up scans.

But it doesn't see to me the router's infected, fortunately. Its IP settings look good and so do the local ipconfig /all settings on the systems.
0
 
LVL 13

Assisted Solution

by:F Igor
F Igor earned 100 total points
ID: 36482508
You can try some checks to ensure the routes is working fine:

Take note on the actual parameters given in some machine when you get the IP:

Current IP
Gateway IP
DNS IP


When you try the DHCP release/renew, take note on the DHCP server IP
(maybe the infected PC acting as DHCP server and bringing a different DNS/gateway config) . COmpare the new IP configuration if it's something wrong.



If the IP configuration is ok, you can try to test the DNS resolving:
nslookup www.google.com 

Open in new window

Se the response with and without the infected PC conencted and compare.

Also Compare the routing results:

tracert www.google.com

Open in new window




If the infected PC are acting as DHCP or gateway it could be bringing different results that you're getting normally.
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 100 total points
ID: 36511165
As suggested by younghv above go to the article written by RPG, reset the router to default and change the password of the router after resetting it to default.

Then as mentioned in the article scan with MBAM but after running Rogue Killer. Another recommendation is running TDSSKIller from Kaspersky.

Recommended readings
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

TDSSKIller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question