Well, I'm from Brazil, I work in a big organization and I manage a network with a lot computers.
All the computers are registered in an Active Directory's domain and they are configured to use serv01 (10.1.48.1) and babilonia01 (10.1.48.2) as domain controller and for DNS lookups.
My network has 2 internet servers called 10.1.48.13, 10.1.48.11 (10.1.48.5 is the same as 10.1.48.11, 2 IPs on the same interface). Both them has a proxy server non-restrictive and can also be used has gateway server.
My netmask is 255.255.252.0 and broadcast 10.1.51.255
The virus is causing random computers to show a phishing pages instead of the requested ones.
For example, http://intranet is a bind to http://babilonia01 which is the same as http://10.1.48.2
When some users try to access http://intranet the get the following screen:
This is not linked to the browser because the same thing happens when I try with firefox (fresh install)
And this is not linked to the operating system because there are others threads over the internet affecting Mac OS:
Possible Virus/Malware:"Red the page does not support your version of browser"
So many different things and suggestions, so I have no idea what to do. And to make it more difficult I do not have the issue, my aunt does over in LA and I am 1/2 way across the world. I usually solve my problems by trial and error and i can go down the list of suggestions but I would need to give her more specific instructions. Making it worse, most of them on there are windows not mac.
If I click Browser update it will download a virus (of course)
I was trying to understand why the virus would be trying to catch my users if he is already infected. The answer is that the computer is NOT INFECTED.
After some time studding it, I found that there are some infected computers in my network acting as DHCP server, so when I a machine search a server it may find the infected PC or my real server (10.1.48.2). The infected PC will not create an IP, it asks my real server (or another PC, i don't know) what he should answer and then gives an answer but replacing the DNS servers to 184.108.40.206.
http://imageshack.us/photo/my-images/600/cap12n.png/ (this PC was working normally, it's using my real server)
http://imageshack.us/photo/my-images/89/cap14.png/ (ipconfig /relase then /renew on the same PC and an infected PC answered the request. 10.1.48.232 and it got affected)
The IP 220.127.116.11 is not part of my network, so I assume it's in the internet.
It resolves with success any domain to the address 18.104.22.168
http://imageshack.us/photo/my-images/850/cap6.png/ (in this example the DNS resolves a.b.c.d to 22.214.171.124)
It the phishing page is not displayed with other IPs, only with 126.96.36.199
The http://188.8.131.52 does not display the phishing page if an infected PC did not give you an IP, so I think the 184.108.40.206 and infected PCs have a connection.
220.127.116.11 says it's running PHP 5.2 in Apache through headers.
A way to discover infected PCs is to keep releasing and renewing IP address to grab others DHCP servers.
In the thread I found this site says that some people could remove the virus from infected PCs using that tool:
The tool detects the virus by it's DHCP server and delete it.
I could not try yet, but I'll try tomorrow.
I also could not test the infected PCs yet, and I'll also do it tomorrow.
I'm sharing all this with you to help you to solve related issues and to expand informations about it on the internet, helping people who works on antivirus companies.
If you already know a way to remove it, or to block it, please share.
Tomorrow I'll try to block that IP with iptables, but I'm not sure if that will work since it may be dynamic.
edit: fixed the ip address, the correct is: 18.104.22.168
after some searchs i found that 22.214.171.124 does the same.
I can access http://126.96.36.199 and http://188.8.131.52 in my house, so it is an internet address, and it displays the phishing page to everyone (maybe I typed the wrong ip earlier)
Edited by jose.rob.jr, 06 June 2011 - 07:27 PM.