Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

regarding this week's malware of teh century, namelydnschanger....

5 views
Skip to first unread message

danny burstein

unread,
May 22, 2012, 5:18:12 PM5/22/12
to
Anyone know if the "microsoft malicious software removal tool"
(more or less its name) that m-soft keeps updating every
few intervals and pushing out to Windows computers...

.... anyone know if it handles dnschanger?

thanks

--
_____________________________________________________
Knowledge may be power, but communications is the key
dan...@panix.com
[to foil spammers, my address has been double rot-13 encoded]

David H. Lipman

unread,
May 22, 2012, 5:40:11 PM5/22/12
to
From: "danny burstein" <dan...@panix.com>

> Anyone know if the "microsoft malicious software removal tool"
> (more or less its name) that m-soft keeps updating every
> few intervals and pushing out to Windows computers...
>
> .... anyone know if it handles dnschanger?
>
> thanks
>

By now every AV/AM vedor will recognize the DNSChanger trojan. However some
may not detgect if the DNS Table of a previously infected computer or
modified SOHO Router is still using the DNSChanger related DNS servers.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters

unread,
May 22, 2012, 8:49:01 PM5/22/12
to
danny burstein wrote:
> Anyone know if the "microsoft malicious software removal tool"
> (more or less its name) that m-soft keeps updating every
> few intervals and pushing out to Windows computers...
>
> .... anyone know if it handles dnschanger?

There is a common misconception about this *new* problem. It's not some
new malware, it's old malware that had changed settings to use "bad" DNS
servers. When the malware related servers were taken over by the good
guys and the malware cleared up on local machines they became dependent
upon those good guy owned "bad" servers for the normal operation of DNS
which is almost critical for resolving URLs.

The good guys are now ready to wean the affected (previously infected)
local machines off from the "bad" servers, and thus all of the hoopla.

danny burstein

unread,
May 22, 2012, 10:09:18 PM5/22/12
to
In the words of Commodore Decker from Star Trek (the one
and only, no "pre" or "post" or "second" or "rebooted"),
"don't you think we know that?"

My question, as expanded a bit, is whether the m-soft
download, which anyone doing updates has gotten, gets
rid of teh malware _and_ also resets the DNS back
to the pre-infection default.

David H. Lipman

unread,
May 22, 2012, 10:20:17 PM5/22/12
to
From: "danny burstein" <dan...@panix.com>

> In <jphc5v$kdm$1...@dont-email.me> FromTheRafters <err...@nomail.afraid.org>
> writes:
>
>> danny burstein wrote:
>>> Anyone know if the "microsoft malicious software removal tool"
>>> (more or less its name) that m-soft keeps updating every
>>> few intervals and pushing out to Windows computers...
>>>
>>> .... anyone know if it handles dnschanger?
>
>> There is a common misconception about this *new* problem. It's not some
>> new malware, it's old malware that had changed settings to use "bad" DNS
>> servers. When the malware related servers were taken over by the good
>> guys and the malware cleared up on local machines they became dependent
>> upon those good guy owned "bad" servers for the normal operation of DNS
>> which is almost critical for resolving URLs.
>
>> The good guys are now ready to wean the affected (previously infected)
>> local machines off from the "bad" servers, and thus all of the hoopla.
>
> In the words of Commodore Decker from Star Trek (the one
> and only, no "pre" or "post" or "second" or "rebooted"),
> "don't you think we know that?"
>
> My question, as expanded a bit, is whether the m-soft
> download, which anyone doing updates has gotten, gets
> rid of teh malware _and_ also resets the DNS back
> to the pre-infection default.
>

My understanding is the monthly downloaded MRT will not alter the Windows PC
DNS Table. It will only remove the DNSChanger trojan.

danny burstein

unread,
May 22, 2012, 11:28:33 PM5/22/12
to
In <CKOdndc229D-1CHS...@giganews.com> "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

>> My question, as expanded a bit, is whether the m-soft
>> download, which anyone doing updates has gotten, gets
>> rid of the malware _and_ also resets the DNS back
>> to the pre-infection default.

>My understanding is the monthly downloaded MRT will not alter the Windows PC
>DNS Table. It will only remove the DNSChanger trojan.

Thanks for the pointer. If you're correct, then one (I'll volunteer)
should scream out loudly:

Dear Redmond:
Add the fixxer upper. Please.
Thank you.

kurt wismer

unread,
May 23, 2012, 12:44:35 AM5/23/12
to
On May 22, 10:09 pm, danny burstein <dan...@panix.com> wrote:
[snip]
> My question, as expanded a bit, is whether the m-soft
> download, which anyone doing updates has gotten, gets
> rid of teh malware _and_ also resets the DNS back
> to the pre-infection default.

yeah, about that. how exactly is a program supposed to know what your
DNS settings were before you got infected?

this isn't a setting that has a default value that you can set it back
to and have things work.

the DNS setting in question, specifically, is the address of the DNS
server your computer connects to when it wants to look up the
numerical IP address associated with a domain name (necessary for
reaching any website unless you're entering the IP address yourself).
for most people that DNS server is the one their ISP provides. even if
a program were to detect which ISP you used, and had a listing of
every DNS server provided by every ISP (a pretty monumental
undertaking), not everyone uses their ISP's DNS so a recovery program
still wouldn't be able to restore the right one.

restoring altered DNS settings is outside the scope of what a clean up
tool (like the one microsoft provides) can do.

Virus Guy

unread,
May 24, 2012, 7:55:47 AM5/24/12
to
kurt wismer wrote:

> restoring altered DNS settings is outside the scope of what a clean
> up tool (like the one microsoft provides) can do.

The cleanup tool can (or should) perform a test to see *if* your system
is using a known-malicious DNS server (just as these tests are possible
as some third-party websites perform this service). Even if the tool
can't change the system's DNS-server setting (* because it doesn't know
what it should change it to) telling the user that the system has a bad
DNS setting is a necessary first step at fixing the problem.

---
* Even that is debatable, since the system's DNS server setting
could be changed to point to a known-good public DNS server.
Even if the user's router or modem has been comprimized to
provide a malicious DNS server via DHCP, that can be by-passed
by hard-coding a known-good public DNS server setting on a
system's TCP/IP properties.
---

kurt wismer

unread,
May 24, 2012, 1:00:44 PM5/24/12
to
On May 24, 7:55 am, Virus Guy <Vi...@Guy.com> wrote:
> kurt wismer wrote:
> > restoring altered DNS settings is outside the scope of what a clean
> > up tool (like the one microsoft provides) can do.
>
> The cleanup tool can (or should) perform a test to see *if* your system
> is using a known-malicious DNS server (just as these tests are possible
> as some third-party websites perform this service).  Even if the tool
> can't change the system's DNS-server setting (* because it doesn't know
> what it should change it to) telling the user that the system has a bad
> DNS setting is a necessary first step at fixing the problem.

agreed, a cleanup tool should be able to do that. i'm not sure
microsoft's tool (or the design philosophy) incorporate user feedback,
however. my guess is that such notifications would generate support
requests that they don't have the capability to deal with.
0 new messages