?
Solved

Weird virus issue

Posted on 2011-09-04
7
Medium Priority
?
640 Views
Last Modified: 2013-11-22
Shortly after plugging in an infected system to my linksys router (it had, what I though, just a fraudware program running), something strange happened.

Every device on our network, iphones, PC's and others could not get to the web. Upon opening the browser of any device and pointing to any website, I would get this message:

"Update your browser. This page does not support your version of browser
Please update your software."


The download button was to some EXE file updbrowser20110904.exe.

My LAN icon said local/private access only (no public or internet). Tried diagnosing and releasing/renewing. Tried powering off modem and router then powering back on, resetting factory settings, etc, no luck.

It wasn't until I unplugged the infected system from the router that things started to work again.

Anyone know what virus this is? MWB not showing anything locally on the system. It seems like the infected one pretended to be the router somehow and was forcing all other devices to go through it.

This was the source code of the website all devices would get directed to:


<html><head><meta name="copyright" content="(C) Bank of Nikolai. Look I have a pen !"><style type="text/css">body{font-family:verdana,helvetica;background-color:#ffffff;}td.logo{padding:10px;width:50px;}td.head{font-size:16px;color:#a07070;border-bottom:solid 1px #e0e0e0;width:400px;height:50px;}td.update{font-size:13px;color:#808080;padding-top:10px;}td.button{padding:10px}input{font-family:verdana,helvetica;font-size:12px;height:24px;}</style></head><body><table rows="3" cols="2"><tr><td valign="top" rowspan="3" class="logo"><img width="64px" height="64px" src="http://update.browser.com/update.jpg"></td><td class="head">Update your browser</td></tr><tr><td class="update">This page does not support your version of browser<br>Please update your software</td></tr><tr><td class="button"><form action="http://update.browser.com/download.php"><input type="submit" value="Browser update"></td></tr></form></table></body></html>


I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?


The "website" had a download to "updbrowser20110904.exe".
VirusTotal scan of the file: http://www.virustotal.com/file-scan/report.html?id=9d4ef7c4a8e9a4bc5df8a92e75d0c45e658b9721b9c2a45a7f084d4e1c023d38-1315089328
Only a few Google Results of the filename: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=updbrowser20110904.exe

Running a VM malwarebytes detected as Spyware.Passwords.XGen
0
Comment
Question by:garryshape
7 Comments
 
LVL 12

Accepted Solution

by:
marcustech earned 400 total points
ID: 36481268
I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?

You'd really need to check the IP configuration and nslookup results on the systems to determine how this was done.  Usually it's a simple UPnP DNS poisoning on the gateway router, if it's something more then you would really have to run more diagnostics to find out what was happening to your web traffic.
0
 
LVL 20

Assisted Solution

by:n2fc
n2fc earned 400 total points
ID: 36481366
The virus probably infected  your router and at least messed the DNS settings (if not more)...

1) Unplug the infected PC and deal with it OFFLINE
2) Reset the router to FACTORY settings and attempt to reprogram it as needed
0
 
LVL 20

Expert Comment

by:n2fc
ID: 36481375
Another possibilty is that the infected computer is acting as a DHCP server on the network, usurping that function from your router...  and giving out the bad DNS settings.

1. Run a "ipconfig /all" on the affected computer(s).
2. Look at the "DHCP Server" entry and see if does not correspond to your router's IP. The IP will be of a local computer that is hosting the DHCP services.
3. Trace the IP to the bad DHCP server, REMOVE from network.
4. Run a "ipconfig /release" then a "ipconfig /renew" on the affected computer to obtain DHCP settings from the router.
5. Sanitize local computers as needed using the slew of utilities out there.

The bad DNS entry that we've seen is "188.229.88.7"
Add to local firewall or router restrictions
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 38

Assisted Solution

by:younghv
younghv earned 400 total points
ID: 36481396
An infected router is definitely a possibility. Review the details in this EE Article for the details:
http://www.experts-exchange.com/A_5327.html - Infected Router - Google Search Redirects Even on a Clean System
0
 

Author Comment

by:garryshape
ID: 36481460
I'm not having the issue since I turned off/unplugged the infected PC.
Will fire it back up (unplugged from network) and run some follow up scans.

But it doesn't see to me the router's infected, fortunately. Its IP settings look good and so do the local ipconfig /all settings on the systems.
0
 
LVL 13

Assisted Solution

by:F Igor
F Igor earned 400 total points
ID: 36482508
You can try some checks to ensure the routes is working fine:

Take note on the actual parameters given in some machine when you get the IP:

Current IP
Gateway IP
DNS IP


When you try the DHCP release/renew, take note on the DHCP server IP
(maybe the infected PC acting as DHCP server and bringing a different DNS/gateway config) . COmpare the new IP configuration if it's something wrong.



If the IP configuration is ok, you can try to test the DNS resolving:
nslookup www.google.com 

Open in new window

Se the response with and without the infected PC conencted and compare.

Also Compare the routing results:

tracert www.google.com

Open in new window




If the infected PC are acting as DHCP or gateway it could be bringing different results that you're getting normally.
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
ID: 36511165
As suggested by younghv above go to the article written by RPG, reset the router to default and change the password of the router after resetting it to default.

Then as mentioned in the article scan with MBAM but after running Rogue Killer. Another recommendation is running TDSSKIller from Kaspersky.

Recommended readings
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

TDSSKIller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question