?
Solved

Weird virus issue

Posted on 2011-09-04
7
Medium Priority
?
635 Views
Last Modified: 2013-11-22
Shortly after plugging in an infected system to my linksys router (it had, what I though, just a fraudware program running), something strange happened.

Every device on our network, iphones, PC's and others could not get to the web. Upon opening the browser of any device and pointing to any website, I would get this message:

"Update your browser. This page does not support your version of browser
Please update your software."


The download button was to some EXE file updbrowser20110904.exe.

My LAN icon said local/private access only (no public or internet). Tried diagnosing and releasing/renewing. Tried powering off modem and router then powering back on, resetting factory settings, etc, no luck.

It wasn't until I unplugged the infected system from the router that things started to work again.

Anyone know what virus this is? MWB not showing anything locally on the system. It seems like the infected one pretended to be the router somehow and was forcing all other devices to go through it.

This was the source code of the website all devices would get directed to:


<html><head><meta name="copyright" content="(C) Bank of Nikolai. Look I have a pen !"><style type="text/css">body{font-family:verdana,helvetica;background-color:#ffffff;}td.logo{padding:10px;width:50px;}td.head{font-size:16px;color:#a07070;border-bottom:solid 1px #e0e0e0;width:400px;height:50px;}td.update{font-size:13px;color:#808080;padding-top:10px;}td.button{padding:10px}input{font-family:verdana,helvetica;font-size:12px;height:24px;}</style></head><body><table rows="3" cols="2"><tr><td valign="top" rowspan="3" class="logo"><img width="64px" height="64px" src="http://update.browser.com/update.jpg"></td><td class="head">Update your browser</td></tr><tr><td class="update">This page does not support your version of browser<br>Please update your software</td></tr><tr><td class="button"><form action="http://update.browser.com/download.php"><input type="submit" value="Browser update"></td></tr></form></table></body></html>


I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?


The "website" had a download to "updbrowser20110904.exe".
VirusTotal scan of the file: http://www.virustotal.com/file-scan/report.html?id=9d4ef7c4a8e9a4bc5df8a92e75d0c45e658b9721b9c2a45a7f084d4e1c023d38-1315089328
Only a few Google Results of the filename: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=updbrowser20110904.exe

Running a VM malwarebytes detected as Spyware.Passwords.XGen
0
Comment
Question by:garryshape
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Accepted Solution

by:
marcustech earned 400 total points
ID: 36481268
I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?

You'd really need to check the IP configuration and nslookup results on the systems to determine how this was done.  Usually it's a simple UPnP DNS poisoning on the gateway router, if it's something more then you would really have to run more diagnostics to find out what was happening to your web traffic.
0
 
LVL 20

Assisted Solution

by:n2fc
n2fc earned 400 total points
ID: 36481366
The virus probably infected  your router and at least messed the DNS settings (if not more)...

1) Unplug the infected PC and deal with it OFFLINE
2) Reset the router to FACTORY settings and attempt to reprogram it as needed
0
 
LVL 20

Expert Comment

by:n2fc
ID: 36481375
Another possibilty is that the infected computer is acting as a DHCP server on the network, usurping that function from your router...  and giving out the bad DNS settings.

1. Run a "ipconfig /all" on the affected computer(s).
2. Look at the "DHCP Server" entry and see if does not correspond to your router's IP. The IP will be of a local computer that is hosting the DHCP services.
3. Trace the IP to the bad DHCP server, REMOVE from network.
4. Run a "ipconfig /release" then a "ipconfig /renew" on the affected computer to obtain DHCP settings from the router.
5. Sanitize local computers as needed using the slew of utilities out there.

The bad DNS entry that we've seen is "188.229.88.7"
Add to local firewall or router restrictions
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 38

Assisted Solution

by:younghv
younghv earned 400 total points
ID: 36481396
An infected router is definitely a possibility. Review the details in this EE Article for the details:
http://www.experts-exchange.com/A_5327.html - Infected Router - Google Search Redirects Even on a Clean System
0
 

Author Comment

by:garryshape
ID: 36481460
I'm not having the issue since I turned off/unplugged the infected PC.
Will fire it back up (unplugged from network) and run some follow up scans.

But it doesn't see to me the router's infected, fortunately. Its IP settings look good and so do the local ipconfig /all settings on the systems.
0
 
LVL 13

Assisted Solution

by:F Igor
F Igor earned 400 total points
ID: 36482508
You can try some checks to ensure the routes is working fine:

Take note on the actual parameters given in some machine when you get the IP:

Current IP
Gateway IP
DNS IP


When you try the DHCP release/renew, take note on the DHCP server IP
(maybe the infected PC acting as DHCP server and bringing a different DNS/gateway config) . COmpare the new IP configuration if it's something wrong.



If the IP configuration is ok, you can try to test the DNS resolving:
nslookup www.google.com 

Open in new window

Se the response with and without the infected PC conencted and compare.

Also Compare the routing results:

tracert www.google.com

Open in new window




If the infected PC are acting as DHCP or gateway it could be bringing different results that you're getting normally.
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
ID: 36511165
As suggested by younghv above go to the article written by RPG, reset the router to default and change the password of the router after resetting it to default.

Then as mentioned in the article scan with MBAM but after running Rogue Killer. Another recommendation is running TDSSKIller from Kaspersky.

Recommended readings
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

TDSSKIller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question