Solved

Weird virus issue

Posted on 2011-09-04
7
628 Views
Last Modified: 2013-11-22
Shortly after plugging in an infected system to my linksys router (it had, what I though, just a fraudware program running), something strange happened.

Every device on our network, iphones, PC's and others could not get to the web. Upon opening the browser of any device and pointing to any website, I would get this message:

"Update your browser. This page does not support your version of browser
Please update your software."


The download button was to some EXE file updbrowser20110904.exe.

My LAN icon said local/private access only (no public or internet). Tried diagnosing and releasing/renewing. Tried powering off modem and router then powering back on, resetting factory settings, etc, no luck.

It wasn't until I unplugged the infected system from the router that things started to work again.

Anyone know what virus this is? MWB not showing anything locally on the system. It seems like the infected one pretended to be the router somehow and was forcing all other devices to go through it.

This was the source code of the website all devices would get directed to:


<html><head><meta name="copyright" content="(C) Bank of Nikolai. Look I have a pen !"><style type="text/css">body{font-family:verdana,helvetica;background-color:#ffffff;}td.logo{padding:10px;width:50px;}td.head{font-size:16px;color:#a07070;border-bottom:solid 1px #e0e0e0;width:400px;height:50px;}td.update{font-size:13px;color:#808080;padding-top:10px;}td.button{padding:10px}input{font-family:verdana,helvetica;font-size:12px;height:24px;}</style></head><body><table rows="3" cols="2"><tr><td valign="top" rowspan="3" class="logo"><img width="64px" height="64px" src="http://update.browser.com/update.jpg"></td><td class="head">Update your browser</td></tr><tr><td class="update">This page does not support your version of browser<br>Please update your software</td></tr><tr><td class="button"><form action="http://update.browser.com/download.php"><input type="submit" value="Browser update"></td></tr></form></table></body></html>


I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?


The "website" had a download to "updbrowser20110904.exe".
VirusTotal scan of the file: http://www.virustotal.com/file-scan/report.html?id=9d4ef7c4a8e9a4bc5df8a92e75d0c45e658b9721b9c2a45a7f084d4e1c023d38-1315089328
Only a few Google Results of the filename: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=updbrowser20110904.exe

Running a VM malwarebytes detected as Spyware.Passwords.XGen
0
Comment
Question by:garryshape
7 Comments
 
LVL 12

Accepted Solution

by:
marcustech earned 100 total points
Comment Utility
I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?

You'd really need to check the IP configuration and nslookup results on the systems to determine how this was done.  Usually it's a simple UPnP DNS poisoning on the gateway router, if it's something more then you would really have to run more diagnostics to find out what was happening to your web traffic.
0
 
LVL 19

Assisted Solution

by:n2fc
n2fc earned 100 total points
Comment Utility
The virus probably infected  your router and at least messed the DNS settings (if not more)...

1) Unplug the infected PC and deal with it OFFLINE
2) Reset the router to FACTORY settings and attempt to reprogram it as needed
0
 
LVL 19

Expert Comment

by:n2fc
Comment Utility
Another possibilty is that the infected computer is acting as a DHCP server on the network, usurping that function from your router...  and giving out the bad DNS settings.

1. Run a "ipconfig /all" on the affected computer(s).
2. Look at the "DHCP Server" entry and see if does not correspond to your router's IP. The IP will be of a local computer that is hosting the DHCP services.
3. Trace the IP to the bad DHCP server, REMOVE from network.
4. Run a "ipconfig /release" then a "ipconfig /renew" on the affected computer to obtain DHCP settings from the router.
5. Sanitize local computers as needed using the slew of utilities out there.

The bad DNS entry that we've seen is "188.229.88.7"
Add to local firewall or router restrictions
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Assisted Solution

by:younghv
younghv earned 100 total points
Comment Utility
An infected router is definitely a possibility. Review the details in this EE Article for the details:
http://www.experts-exchange.com/A_5327.html - Infected Router - Google Search Redirects Even on a Clean System
0
 

Author Comment

by:garryshape
Comment Utility
I'm not having the issue since I turned off/unplugged the infected PC.
Will fire it back up (unplugged from network) and run some follow up scans.

But it doesn't see to me the router's infected, fortunately. Its IP settings look good and so do the local ipconfig /all settings on the systems.
0
 
LVL 13

Assisted Solution

by:F Igor
F Igor earned 100 total points
Comment Utility
You can try some checks to ensure the routes is working fine:

Take note on the actual parameters given in some machine when you get the IP:

Current IP
Gateway IP
DNS IP


When you try the DHCP release/renew, take note on the DHCP server IP
(maybe the infected PC acting as DHCP server and bringing a different DNS/gateway config) . COmpare the new IP configuration if it's something wrong.



If the IP configuration is ok, you can try to test the DNS resolving:
nslookup www.google.com 

Open in new window

Se the response with and without the infected PC conencted and compare.

Also Compare the routing results:

tracert www.google.com

Open in new window




If the infected PC are acting as DHCP or gateway it could be bringing different results that you're getting normally.
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 100 total points
Comment Utility
As suggested by younghv above go to the article written by RPG, reset the router to default and change the password of the router after resetting it to default.

Then as mentioned in the article scan with MBAM but after running Rogue Killer. Another recommendation is running TDSSKIller from Kaspersky.

Recommended readings
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

TDSSKIller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now