Well, I'm from Brazil, I work in a big organization and I manage a network with a lot computers.
All the computers are registered in an Active Directory's domain and they are configured to use serv01 (10.1.48.1) and babilonia01 (10.1.48.2) as domain controller and for DNS lookups.
My network has 2 internet servers called 10.1.48.13, 10.1.48.11 (10.1.48.5 is the same as 10.1.48.11, 2 IPs on the same interface). Both them has a proxy server non-restrictive and can also be used has gateway server.
My netmask is 255.255.252.0 and broadcast 10.1.51.255
The virus is causing random computers to show a phishing pages instead of the requested ones.
For example, http://intranet is a bind to http://babilonia01 which is the same as http://10.1.48.2
When some users try to access http://intranet the get the following screen:
This is not linked to the browser because the same thing happens when I try with firefox (fresh install)
And this is not linked to the operating system because there are others threads over the internet affecting Mac OS:
Possible Virus/Malware:"Red the page does not support your version of browser"
So many different things and suggestions, so I have no idea what to do. And to make it more difficult I do not have the issue, my aunt does over in LA and I am 1/2 way across the world. I usually solve my problems by trial and error and i can go down the list of suggestions but I would need to give her more specific instructions. Making it worse, most of them on there are windows not mac.
If I click Browser update it will download a virus (of course)
I was trying to understand why the virus would be trying to catch my users if he is already infected. The answer is that the computer is NOT INFECTED.
After some time studding it, I found that there are some infected computers in my network acting as DHCP server, so when I a machine search a server it may find the infected PC or my real server (10.1.48.2). The infected PC will not create an IP, it asks my real server (or another PC, i don't know) what he should answer and then gives an answer but replacing the DNS servers to 18.104.22.168.
http://imageshack.us/photo/my-images/600/cap12n.png/ (this PC was working normally, it's using my real server)
http://imageshack.us/photo/my-images/89/cap14.png/ (ipconfig /relase then /renew on the same PC and an infected PC answered the request. 10.1.48.232 and it got affected)
The IP 22.214.171.124 is not part of my network, so I assume it's in the internet.
It resolves with success any domain to the address 126.96.36.199
http://imageshack.us/photo/my-images/850/cap6.png/ (in this example the DNS resolves a.b.c.d to 188.8.131.52)
It the phishing page is not displayed with other IPs, only with 184.108.40.206
The http://220.127.116.11 does not display the phishing page if an infected PC did not give you an IP, so I think the 18.104.22.168 and infected PCs have a connection.
22.214.171.124 says it's running PHP 5.2 in Apache through headers.
A way to discover infected PCs is to keep releasing and renewing IP address to grab others DHCP servers.
In the thread I found this site says that some people could remove the virus from infected PCs using that tool:
The tool detects the virus by it's DHCP server and delete it.
I could not try yet, but I'll try tomorrow.
I also could not test the infected PCs yet, and I'll also do it tomorrow.
I'm sharing all this with you to help you to solve related issues and to expand informations about it on the internet, helping people who works on antivirus companies.
If you already know a way to remove it, or to block it, please share.
Tomorrow I'll try to block that IP with iptables, but I'm not sure if that will work since it may be dynamic.
edit: fixed the ip address, the correct is: 126.96.36.199
after some searchs i found that 188.8.131.52 does the same.
I can access http://184.108.40.206 and http://220.127.116.11 in my house, so it is an internet address, and it displays the phishing page to everyone (maybe I typed the wrong ip earlier)
Edited by jose.rob.jr, 06 June 2011 - 07:27 PM.