Maggie's Farm

We are a commune of inquiring, skeptical, politically centrist, capitalist, anglophile, traditionalist New England Yankee humans, humanoids, and animals with many interests beyond and above politics. Each of us has had a high-school education (or GED), but all had ADD so didn't pay attention very well, especially the dogs. Each one of us does "try my best to be just like I am," and none of us enjoys working for others, including for Maggie, from whom we receive neither a nickel nor a dime. Freedom from nags, cranks, government, do-gooders, control-freaks and idiots is all that we ask for.

Our Recent Essays Behind the Front Page

Much Sorry with Delays
Birth, Death and All That Stuff in Between
How to Honor Labor Day, Every Day
My Yom Kippur Miracle (Repost from 2010)
Good intro to fly casting
Peach update, with pie
NYC update
Easy for you to say: To the elites on mass immigration
For NYC on 9/11, Sailors' Snug Harbor
Pickled Peaches
Water Shoes
Labor Costs in U.S.
Your "identity"
Good news about The Great Courses
Uses of Hot Pepper Jelly/Sauce, Chutneys, and Jams
A Saturday Drive to Litchfield County, CT
How to Pick a Kayak
Civilized: Fruit forks and knives
Loads of kayaking on Cape Cod
Psychology Experiments' Questionable Results

Categories


All categories

Quicksearch

Links

Blog Administration

Open login screen

RSS Readers

Add to Google

Subscribe with Bloglines

Friday, June 22. 2012

Doc's Computin' Tips: World's first FBI-approved virus


A whole pisspot full of computers are going to lose their Internet connection this July 9th.  Let's find out if yours will be one of them.


It's actually kind of a bizarre story.  Your computer connects to the Internet using DNS numbers.  Some bad guys in Estonia ran a fake advertising scheme and infected a shitload of computers around the world with a DNS hijacking program which changed the computer's DNS numbers.  It would still connect with the Internet just fine, albeit occasionally the user might find some new browser window open advertising this or that, which is how the bad guys made their money.


Enter the authorities, who catch the bad guys but then are faced with a problem.  If they had just confiscated their servers, every infected machine on the planet would have immediately lost its Internet connection — and without the owners having the slightest idea why.


Rather than risk global anarchy, the FBI substituted the servers with some rental servers to give people time to clean up their computers, but time is running out and the servers are going to be unplugged this July 9th.  There's already been one court-ordered 'stay' of 3 months, and it doesn't look like there's going to be another.


The reason anti-virus programs don't catch the little rascal is because it's not actually a virus; it's not even a program, just a web file.  The second someone clicked on the original fraudulent ad, the damage was done.  No file was ever downloaded so there wasn't anything for the anti-virus program to analyze and stop.


The official FBI info file is here.


The Tests


To be fairly certain you're not infected, visit this and this page.  If they say you're infected, there will be some instructions to follow.


If you want to be absolutely certain you're not infected, go to Start Menu, Programs, Accessories, open 'Command Prompt'.  Type in:


   ipconfig /all


and hit the Enter key.  Start looking down the list and you'll see 'DNS Servers', with one or two DNS numbers over to the right.


If any of your DNS numbers fit into one of these ranges, the machine is infected:


    64.28.176.0 — 64.28.191.255
    67.210.0.0 — 67.210.15.255
    77.67.83.0 — 77.67.83.255
    85.255.112.0 — 85.255.127.255
    93.188.160.0 — 93.188.167.255
    213.109.64.0 — 213.109.79.255


If so, head here for some fix-it tools, and please let us know in the comments which tool you used and on what operating system.


Mac users:  If you use a browser with a Windows emulation program, check the FBI file for how to access your DNS numbers so you can compare them to the above list.  If you're not running emulation, don't worry about it.


Router users:  Check the router section in the FBI file.  The router has its own DNS numbers that need to be manually checked against the list.


I suppose I should note the historical impact of the event.  While there have been innumerable viruses, worms and trojans over the years that were expected to ignite on a certain date, creating Gawd knows what kind of havoc, almost none of them ever panned out.  This time, however, we're being given a specific date and it's a damn good guess it'll actually happen.


After all, this one's backed up by the FBI.

Posted by Dr. Mercury in Dr. Mercury's Computer Corner at 10:00 | Comments (24) | Trackback (1)

Trackbacks
Trackback specific URI for this entry

PingBack
Weblog: www.antivirus.gratiss.info
Tracked: Jun 23, 06:13

Comments
Display comments as (Linear | Threaded)

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\c-rand>cd \

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : c-rand
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Con
nection
Physical Address. . . . . . . . . : 00-13-02-E0-BB-74
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::79e2:a992:42d4:7d8c%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.105(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, June 22, 2012 8:38:17 AM
Lease Expires . . . . . . . . . . : Saturday, June 23, 2012 8:38:17 AM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 150999810
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-AB-5D-D8-00-15-C5-48-2C-BB

DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controlle
r
Physical Address. . . . . . . . . : 00-15-C5-48-2C-BB
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{04C383C5-BB32-4363-8BE3-AC555240A
A35}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{A45CAEBE-E6DC-4D0A-B7EA-F8AAA28FC
6C4}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1cd1:2ad6:3f57:ff96(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::1cd1:2ad6:3f57:ff96%11(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\>
===END==of=Command List====
The DNS line has one and only DNS server listed. Not Infected.
Microsoft windows Vista Business 32bit edition, service pack 2, Dell D630, 4GB RAM, 200GB HD, NTFS partation.

today is 22-June-2012.

Security Essentials Version: 2.1.1116.0
Antimalware Client Version: 3.0.8402.0
Engine Version: 1.1.8502.0
Antivirus definition: 1.129.289.0
Antispyware definition: 1.129.289.0
Microsoft Security Essentials.

Long time reader, and avid fan in Houston, Texas.
#1 Houston on 2012-06-22 10:24 (Reply)
Hmm, that's interesting. I thought all Windows systems had two DNS numbers. Mine always have. I've amended the post and thanks for the update.
#2 Dr. Mercury (Link) on 2012-06-22 10:34 (Reply)
That's because 192.168.0.1 is just the IP address of his router. IIRC, "192" is reserved for internal addresses only. His check with ipconfig therefore means nothing. But then again I'm one of those "ignorant" Mac users, so what do I know?
#2.1 Agent Cooper on 2012-06-22 16:56 (Reply)
It ain't that you Mac-aroons are ignorant, it's that you're so bitter.
#2.1.1 Fred Z on 2012-06-22 22:08 (Reply)
It ain't that you Mac-aroons are ignorant, it's that you're so bitter better.

There, I fixed it for you.
#2.1.1.1 Agent Cooper on 2012-06-22 23:46 (Reply)
BTW, from page 5 of the FBI memo:

"In most homes, computers are assigned an IP address in the range 192.168.1.2 to 192.168.1.254, and the default gateway and DNS servers are set to 192.168.1. To determine if your computer is utilizing the rogue DNS servers, read the next section, Checking the Router."

From page 6 of the FBI memo:

"The DNSChanger malware is capable of changing the DNS server setting with [Small office/home office] routers that have the default username and password provided by the manufacturer. If you did not change the default password at the time the [SOHO] route was installed, you must check the [SOHO] router settings."

In other words, as I indicated in my earlier post, if you have a router, you should check the settings of your router in order to be certain you are not using the rogue DNS servers.

One self-confessed Dumb Mac User +1
A Certain Smart PC User -10000000000
#2.1.1.2 Agent Cooper on 2012-06-24 02:16 (Reply)
I mentioned routers in my post.

If you're keeping score, be sure to tune in next week when I have a Computin' Tip just for Mac users.

It won't be pretty.
#2.1.1.2.1 Dr. Mercury (Link) on 2012-06-24 06:18 (Reply)
Your right. They usually do. I will continue to monitor my DNS settings.
#3 Houston on 2012-06-22 10:47 (Reply)
Thanks Doc....I heard about this but didn't know how to check it. Looks good on my machine.
#4 indyjones on 2012-06-22 11:35 (Reply)
I worry about those Web sites that check the system -- figuring that if I were writing the virus, I'd specifically write it to get around them -- hence the inclusion of the DNS test. Glad your system checked out. There's also a nasty Mac virus running around, but I'll get to that next week.
#4.1 Dr. Mercury (Link) on 2012-06-22 11:38 (Reply)
Am I missing something here?
Use DHCP for an IP address, and for DNS servers, which most home systems I've ever used do?
i.e. Tick the 'Obtain an IP automatically', and Obtain DNS servers automatically' tick boxes and apply the Vulcan Nerve Pinch.
#5 Chuckles on 2012-06-22 12:03 (Reply)
"Am I missing something here?"

With all due respect, yes. This isn't a techie site. The second you said "Tick the...", you lost 95% of the readers. I have to assume almost everybody's system is straight out of the box.
#5.1 Dr. Mercury (Link) on 2012-06-22 12:08 (Reply)
As always, Doc, you're a big help on matters Windows. I'm clean, somehow!
#6 Addison Ingle (Link) on 2012-06-22 13:44 (Reply)
You mean your computer's clean.

As far as you go, I've been to your home site and you're anything but 'clean', mister.

To wit:

- Objectifying women by calling them PYTs
- Took Lord's name in vain by saying "God Damn"
- Lost 10 points off your IQ by using "y'all"
- Said nice things about a Microsoft program

Pretty sad, fella. On the other hand, you got a couple of things right.

"Your typical unmarried male sheds responsibility like a dog shakes off water."

Boy, I'll say.

"He is deaf to the entreaties of a woman, if the result is a deprivation of his pleasure."

Boy, I'll say.

"He is blind to the effects of female disgust, and thus cannot see the approaching danger."

Always sit with your back to the wall is my advice.

Thanks for sharing. :)
#6.1 Dr. Mercury (Link) on 2012-06-22 14:01 (Reply)
Every time I follow Dr. Mercury's advice to do this or that to improve my PC I'm overcome with embarrassment and shame over how much I don't know about this tool I use for hours and hours every day.

Sheesh -- opening up the "Command Promp" box is like staring into the abyss. I type very carefully, for fear I'll accidentally blow up the water works downtown or something.

Anyway, results: Clean!!
#7 T.K. Tortch on 2012-06-22 14:55 (Reply)
Stay tuned next week when I show you how:

>format c: /y /q

will clean your whole hard drive to perfection!

But, please, don't do it until then.

I'd hate to spoil the surprise. :)
#7.1 Dr. Mercury (Link) on 2012-06-22 17:43 (Reply)
I did not find doc's post to be very helpful. he was clear as as mud as to what DNS is and gives dubious links that are unclear as to fixing a problem that is not likely to affect anyone. In fact, only if your modem plugs directly into your computer will you POSSIBLY suffer from this virus. If the modem plugs into a router and your computer plugs into the router then it is IMPOSSIBLE for that virus to infect your computer. If, however, your set up is a stone age non router setup, the fix is simply to click control panel, network sharing, manage network connections; click the local area connection icon and click properties; then click Internet protocal version 4 (TCP/IPv4) and properties and set theDNS server back to "automatic" or to 8.8.8.8 (that would be the free Google DNS server that is available for FREE) or use the DNS server that your cable provider uses, which takes a phone call to said cable provider tech support to obtain the number.

simple steps for an extremely unlikely virus infection.
#8 jpm on 2012-06-23 09:25 (Reply)
Well, you certainly made that easy for everyone.

So remember, folks, in order to avoid a virus, simply:

"click control panel, network sharing, manage network connections; click the local area connection icon and click properties; then click Internet protocal version 4 (TCP/IPv4) and properties and set theDNS server back to "automatic" or to 8.8.8.8"

I think you're confusing us with C-Net or Wired News.

As for this:

"will you POSSIBLY suffer from this virus"

From the post:

"The reason anti-virus programs don't catch the little rascal is because it's not actually a virus"

You didn't even fucking read the post and you're criticizing it?

"NEXT!"
#8.1 Dr. Mercury (Link) on 2012-06-23 09:45 (Reply)
I stand corrected.

If your DNS server has been changed by a web site (not a virus) then it could ONLY have affected you if your computer is connected directly to your modem as opposed to a computer to router to modem. If your DNS server address was changed, then you can simply change it back with a couple of mouse clicks.

Don't see the need to make this confusing.
#9 jpm on 2012-06-23 10:09 (Reply)
As I noted to someone earlier, for the vast part these are just regular people on this site, and regular people don't use routers, much less open their Network settings and fuss with things.

"Don't see the need to make this confusing."

Exactly. That's why I gave them two choices; the links that more-or-less test the system, then the DNS list for those who want to be double-sure. Most of my Computin' Tips are written along those lines, where I first cover the basics of the new program or procedure, then offer up tweaks down below for those who really want to get into it. When a tweak is actually important, I include it in the first part and pray to God they'll have the gumption to actually open the program's Options and change it.

BTW, do you use Firefox? I have a Computin' Tip coming up next week featuring a really cool add-on for downloading videos. I had no idea before I used it that many YouTube videos have a hi-def version in MP4 format available, whereas all you're watching (and grabbing out of cache) is the crappy FLV version. Stay tuned!
#9.1 Dr. Mercury (Link) on 2012-06-23 10:24 (Reply)
Dang, doc, we are mostly "regular people," just be careful you don't drift over the line and start referring to us as "normal."
Thanks for the update on this. Clean so far, thanks to your tips.
#9.1.1 steve in ct on 2012-07-06 10:33 (Reply)
Dr. M: I ordered another Dell to replace my seven year old Dell, which is still running strong, at a price discount I couldn't refuse. I ordered Windows 7 Pro. I have Office Pro 2007 and Office Pro 2003 discs with licenses.

I am going to use your guide for trimming down Window 7.

Here is the kicker. I use MS Access 2003 for my work. I am going to continue to use Access 2003, as I have a conniption fit whenever I use Access 2007. Access 2007 is not user friendly for me.

At the same time, for a future potential project of a sort different from what I usually do, I want to have Access 2007 - or 2010- on my computer.

I have read that with XP mode, available on Windows 7 Pro, you can access different versions of Office Pro. I have also read that this can be problematic, if you do not set it up correctly- if you can.

It seems to me that the best setup would be to have two different partitions. One would have Windows 7 with either Office Pro 2007 or 2010. The other would have Office Pro 2003 with either XP or Windows 7 as the OS. Like having two computers on one. With the size of hard drives these days, that isn't a problem.

I have been looking into purchasing Office Pro 2010 on CraigsList. What I have unearthed involves someone coming to my place and downloading from a thumb drive. It is usually a case where someone purchased multiple licenses from MS, and is selling unused licenses. I had purchased Office Pro 2007 on CraigsList, which involved purchasing a CD. My intuitive reaction is to not trust getting a thumb drive download.Would a CD/DVD made from the thumb drive work for reinstalling?
What is your opinion?
#10 Gringo on 2012-06-24 11:12 (Reply)
Hey, bud -

First off, I agree with the different drive scenario. I have three; my normal Win 7 drive, a 'pure' Win 7 drive that I do various tests on, and an XP drive that runs a couple of programs that (1) don't work on Win 7 and (2) I don't use very often and don't want to spend the bucks upgrading.

On the subject, there are three ways you can switch drives:

1. Via the BIOS
2. Using a program like Master Switcher (or whatever it was called -- haven't used it in a decade) or Windows, itself, if going between Win 7 and Win 7 or Win 7 and Vista
3. Power switches

I use the latter. I have a pair of double-pole switches velcroed to the side of my tower. One goes to the main drive, one to the XP drive, normally off. If I'm going to test some Usenet download which is probably virus-laden, I flip OFF the main system (so it doesn't get infected) and boot up from the test system (normally just my storage drive). Assuming I've infected the test drive, I then reboot from a smart card into True Image and restore the partition. Then I flip the main system back on and boot back into it.

For the XP programs, I flip on the XP drive, then hit F12 while first booting up, whereupon my Lenovo nicely displays a boot menu, whereupon I select the XP drive. Without the menu, the BIOS would suffice. When I'm through, I flip off the drive and it automatically reboots back into the main system.

As far as the thumb drive deal goes -- yuck! Sounds scary. Personally, I'd wait until Office came out with a new version, at which point a nice, legal 2010 version should be selling for dirt cheap. As for the question, though, yes, assuming they were bootable files on the thumb drive, they could be copied to a bootable disc, but it's not like a normal burn. You need a special program. Nero is supposed to do it, but I could never get it to work. There's a freebie called ImgBurn that works although the process is really bizarre.

And I'm glad you had my Win 7 tweak page stashed to the side. I'm actually quite proud of it. Lemme know if there are any hitches.
#10.1 Dr. Mercury (Link) on 2012-06-24 11:44 (Reply)
Thanks for the feedback, Dr. M.
#10.1.1 Gringo on 2012-06-24 14:57 (Reply)

Add Comment
(Your e-mail will not show in your comment)

By commenting on this site you agree to the site rules listed here. Email
addresses will not be displayed and will only be used for email notifications.

Quick reference guide: [i] italics [/i], [b] bold [/b], [u] underline [/u],
[url] (web address) [/url]. More tips here.

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 
A Chris Southern Consulting website.