EDU-CERT has obtained information that Pcs from some Moroccan universities are infected by DNS changer malware, this Trojan changes the infected system's Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites.
The Trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers and may be directed to unsolicited, and potentially illegal sites.
Refer to the steps bellow to check if a computer is infected by « DNS changer » malware:
Type ipconfig/all on a line command prompt and Check for the lines in the displayed results that contain "DNS Servers" (several IP addresses may be specified).
Check for each interface when multiple interfaces are used (wireless LANs, wired LANs, etc.).
Check if the DNS server IP addresses found fall within the following IP address ranges.
85.255.112.0 - 85.255.127.255
67.210.0.0 - 67.210.15.255
93.188.160.0 - 93.188.167.255
77.67.83.0 - 77.67.83.255
213.109.64.0 - 213.109.79.255
64.28.176.0 - 64.28.191.255
If any of the DNS servers have an IP address that falls in one of the above IP address ranges, the PC may be infected with DNS Changer.
Please follow these instructions in case your PC is infected :
• Disconnect the PC from the network.
• Change the PCs DHCP and IP address settings so that a valid DNS servers IP address is used.
The FBI has confirmed a variety of DNS Changer that changes router DNS settings. If a PC DNS Changer infection is detected, also check if the router(s) used by the computer are also infected.
For more information, refer to the following:
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
finally notice that PCs infected with DNS changer may be infected by other types of malware as well.
If you have any further questions or information regarding this alert, please contact EDU-CERT.
Federal Bureau of Investigation (FBI)DNSChanger Malware :
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
Japan Computer Emergency response team Coordination Center (JPCERT/CC) DNS changer :
http://www.jpcert.or.jp/english/at/2012/at120008.html
F-SECURE Trojan:W32/DNSChanger :
http://www.f-secure.com/v-descs/dnschang.shtml