Solved

Weird virus issue

Posted on 2011-09-04
7
631 Views
Last Modified: 2013-11-22
Shortly after plugging in an infected system to my linksys router (it had, what I though, just a fraudware program running), something strange happened.

Every device on our network, iphones, PC's and others could not get to the web. Upon opening the browser of any device and pointing to any website, I would get this message:

"Update your browser. This page does not support your version of browser
Please update your software."


The download button was to some EXE file updbrowser20110904.exe.

My LAN icon said local/private access only (no public or internet). Tried diagnosing and releasing/renewing. Tried powering off modem and router then powering back on, resetting factory settings, etc, no luck.

It wasn't until I unplugged the infected system from the router that things started to work again.

Anyone know what virus this is? MWB not showing anything locally on the system. It seems like the infected one pretended to be the router somehow and was forcing all other devices to go through it.

This was the source code of the website all devices would get directed to:


<html><head><meta name="copyright" content="(C) Bank of Nikolai. Look I have a pen !"><style type="text/css">body{font-family:verdana,helvetica;background-color:#ffffff;}td.logo{padding:10px;width:50px;}td.head{font-size:16px;color:#a07070;border-bottom:solid 1px #e0e0e0;width:400px;height:50px;}td.update{font-size:13px;color:#808080;padding-top:10px;}td.button{padding:10px}input{font-family:verdana,helvetica;font-size:12px;height:24px;}</style></head><body><table rows="3" cols="2"><tr><td valign="top" rowspan="3" class="logo"><img width="64px" height="64px" src="http://update.browser.com/update.jpg"></td><td class="head">Update your browser</td></tr><tr><td class="update">This page does not support your version of browser<br>Please update your software</td></tr><tr><td class="button"><form action="http://update.browser.com/download.php"><input type="submit" value="Browser update"></td></tr></form></table></body></html>


I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?


The "website" had a download to "updbrowser20110904.exe".
VirusTotal scan of the file: http://www.virustotal.com/file-scan/report.html?id=9d4ef7c4a8e9a4bc5df8a92e75d0c45e658b9721b9c2a45a7f084d4e1c023d38-1315089328
Only a few Google Results of the filename: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=updbrowser20110904.exe

Running a VM malwarebytes detected as Spyware.Passwords.XGen
0
Comment
Question by:garryshape
7 Comments
 
LVL 12

Accepted Solution

by:
marcustech earned 100 total points
ID: 36481268
I had run rkill and then MWB on the infected system but didn't reboot yet. I wonder if this computer infected the router, or itself was still infected before reboot and still posing as a gateway and imposing a malicious website through a local webserver?

You'd really need to check the IP configuration and nslookup results on the systems to determine how this was done.  Usually it's a simple UPnP DNS poisoning on the gateway router, if it's something more then you would really have to run more diagnostics to find out what was happening to your web traffic.
0
 
LVL 20

Assisted Solution

by:n2fc
n2fc earned 100 total points
ID: 36481366
The virus probably infected  your router and at least messed the DNS settings (if not more)...

1) Unplug the infected PC and deal with it OFFLINE
2) Reset the router to FACTORY settings and attempt to reprogram it as needed
0
 
LVL 20

Expert Comment

by:n2fc
ID: 36481375
Another possibilty is that the infected computer is acting as a DHCP server on the network, usurping that function from your router...  and giving out the bad DNS settings.

1. Run a "ipconfig /all" on the affected computer(s).
2. Look at the "DHCP Server" entry and see if does not correspond to your router's IP. The IP will be of a local computer that is hosting the DHCP services.
3. Trace the IP to the bad DHCP server, REMOVE from network.
4. Run a "ipconfig /release" then a "ipconfig /renew" on the affected computer to obtain DHCP settings from the router.
5. Sanitize local computers as needed using the slew of utilities out there.

The bad DNS entry that we've seen is "188.229.88.7"
Add to local firewall or router restrictions
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 38

Assisted Solution

by:younghv
younghv earned 100 total points
ID: 36481396
An infected router is definitely a possibility. Review the details in this EE Article for the details:
http://www.experts-exchange.com/A_5327.html - Infected Router - Google Search Redirects Even on a Clean System
0
 

Author Comment

by:garryshape
ID: 36481460
I'm not having the issue since I turned off/unplugged the infected PC.
Will fire it back up (unplugged from network) and run some follow up scans.

But it doesn't see to me the router's infected, fortunately. Its IP settings look good and so do the local ipconfig /all settings on the systems.
0
 
LVL 13

Assisted Solution

by:F Igor
F Igor earned 100 total points
ID: 36482508
You can try some checks to ensure the routes is working fine:

Take note on the actual parameters given in some machine when you get the IP:

Current IP
Gateway IP
DNS IP


When you try the DHCP release/renew, take note on the DHCP server IP
(maybe the infected PC acting as DHCP server and bringing a different DNS/gateway config) . COmpare the new IP configuration if it's something wrong.



If the IP configuration is ok, you can try to test the DNS resolving:
nslookup www.google.com 

Open in new window

Se the response with and without the infected PC conencted and compare.

Also Compare the routing results:

tracert www.google.com

Open in new window




If the infected PC are acting as DHCP or gateway it could be bringing different results that you're getting normally.
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 100 total points
ID: 36511165
As suggested by younghv above go to the article written by RPG, reset the router to default and change the password of the router after resetting it to default.

Then as mentioned in the article scan with MBAM but after running Rogue Killer. Another recommendation is running TDSSKIller from Kaspersky.

Recommended readings
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

TDSSKIller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
mysql disables rename 4 92
Windows 2012 PKI in a hybrid org 3 57
Creating a Vendor Admin user 23 80
Giving user local admin via workstation security properties on SBS 2008 3 41
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question