Skip to the content of the web site.

Vulnerabilities (2006)

Security >> Vulnerabilities (2006) >> 20061120

Issue: Windows -- FreeVideo Trojan
Risk: Critical (active) -- root kit/DNS highjack
Date: 20-Nov-2006/28-Nov-2006

Automated monitors have detected your system conducting DNS queries to off-site servers located in Ukraine which have been implicated in a 'FreeVideo Trojan' compromise. It is highly unusual for systems other than campus DNS servers to do any off site DNS queries. If your system is a Microsoft Windows system then this is very good evidence that you are compromised.

We understand the compromise involves web sites where the user is invited to download a 'FreeVideo' player to view content. The player is in fact a Trojan. See the detailed discussion at the SANS Diary (2006/11/19).

Recommendations

  1. You should first confirm that this alarm is accurate -- have you recently installed a 'FreeVideo" player? Has your system been configured to use DNS servers in Ukraine:

    • From the "Start" menu, select "Run" and Open a "cmd" window.

    • In the "cmd" window run the command "ipconfig /all" and confirm your "DNS Servers" on each network interface.

    • If any of your "DNS Servers" involve IP numbers in the range '85.255.112.0 - 85.255.127.255' then you are compromised. Make sure you check the DNS Servers on all interfaces.

    The SANS Diary points to "Registry" keys which will have been changed to insert a root-kit into your boot sequence. If you are comfortable with a Registry Editor (like "regedit") you can confirm the infection by checking the value of the Registry key mentioned (many users are not comfortable doing this).

    If we have alarmed your system in error we are very interested to know more -- to date the alarm has been very accurate with some false postives involving campus DNS servers.

  2. The SANS Diary describes an infection that will be difficult to remove. At this writing the infection involves several components including a root-kit and none are recognized by the Anti-Virus tools we use. We therefore recommend that you rebuild your system from clean media.

  3. You should, in future, be careful about web sites you visit and especially cautious about "free" software you install on your system. More often than not "free" software from dubious sites will be malicious.

Finding Help

The IST/CHIP can provide some assistance, Resnet users should contact Technical Support and each Faculty has a Computing Facility to support their faculty and staff (see the Faculty Help Desks listed at the IST/CHIP). Most user will require the assistance of computer professionals at one of the help centers to resolve this problem.

Acknowledgements

Many thanks to Brian Eckman of the University of Minnesota and the SANS Internet Storm Centre for posting his analysis.

Finally, if you have any questions/concerns or need help please let us know.

I am, Reg Quinton, Senior Technologist, Security (IST)
+1 519 888-4567x36070