Please read on for an important message to all ResNet users – even if youâ€™ve left Bristol for the Christmas vacation.
Shortly before the end of term we had an outbreak of a nasty virus on ResNet, called DNSChanger. DNSChanger hijacks your Internet settings and redirects your traffic to malicious websites under the control of the attacker. For example, you might think you are going to Google, but actually you are going to a malicious website which will take control of your computer, try to steal your credit card numbers and bombard you with adverts. The virus spreads by passing on malicious configuration information to other computers on the same local network, like ResNet.
Even if youâ€™ve left Bristol, please check now to see if your computer has a problem with this virus:
- Click Start (then Run in Windows XP), then type cmd in the box. A black command window should open.
- In the black command window type nslookup google.com
- Something like the following should be displayed:
Weâ€™re interested in the numbers on the second line (18.104.22.168 in our example). If you are on ResNet then these should start with 137.222 (the range for University of Bristol). If you are at home then they could start with anything.
If the address starts 85.255 then you may have a problem. This is a block of addresses in the Ukraine which the attackers are using. Do this further check:
- Click Start (then Run in Windows XP), then type ncpa.cpl in the box.
- Under the LAN or High-Speed Internet section, right-click the Local Area Connection and select Properties.
- Highlight Internet Protocol Version 4 (for Vista) or Internet Protocol (for XP) and select Properties.
- Click Advancedâ€¦
- Click the DNS tab
If you saw 85.255 in nslookup but the DNS server addresses box is blank or has other numbers then the good news is that you are not infected (by this particular virus version). You did see 85.255 in nslookup though. This means that another computer on the same local network has passed on the wrong settings and websites you visit may not be what they appear. Shut down your computer and restart it later. Go back to the command prompt and type nslookup google.com – if the 85.255 address has gone you are now OK.
If you have any entries in the DNS server addresses box and they begin with 85.255 then unfortunately the DNSChanger virus is on your computer. Your computer is under remote control and you can’t trust any websites you visit – definitely don’t type in any credit card numbers as these will be monitored and stolen.
The only way to recover from this DNSChanger virus is to wipe and re-install your operating system from the original manufacturer’s CDs. We’ve not found any antivirus tools that can clean the system once infected (some tools do claim to clean DNSChanger, but only work against older versions, not this one). First backup any documents and other important work you need to keep, then follow the manufacturer’s instructions to wipe and reinstall. If you don’t have the original CDs phone the manufacturer – they should send you copies for a small postage charge.
General advice for all ResNet users
Before you come back to Bristol next term, please make sure your anti-virus software and Windows Updates are up-to-date. Go to Control Panel, Security Centre, and make sure everything is marked green.
Find your manufacturers recovery CDs while you are home for Christmas and bring them back to Bristol, just in case you need them.
Generally be suspicious and careful when using the Internet – is this website, email or instant message what it appears to be? If in doubt please ask. You can contact the IT Help Desk 24 hours a day, even over the vacation, on 0117 928 7870.
Update by Mark 18/12/2008
Q1)Â Â Â I have MAC OSX, does this affect my computer?
A1)Â Â Â In general, OSX is unlikely to be compromised by the DNSChanger as it’s a Windows Virus but it’s possible to be using the rogue DNS servers if they were assigned to you by a compromised computer on your local network.Â On ResNet requests to external DNS servers are now blocked so you’ll just have a computer that won’t connect to any web sites, including this one!
It’s a good idea to check your current DNS server settings though:
- In Finder, click Applications
- Under Utilities, click Terminal
- In the Terminal window, type one or both of the commands below until you get some information returned:
- Look for the domain_name_server ip address. Anything starting 85.255 is bad.
ipconfig getpacket en0
ipconfig getpacket en1