Letter Re: A New Malware Threat

Hello, Mr Rawles:
I saw the Odds ‘n Sods piece where Michael Z. Williamson’s forwarded an article on the warning about “thousands of PCs infected” to lose Internet access that refers people to www.dcwg.org. I read the article.

Sorry, but I don’t trust going to such a site. It could easily be a government-based data collection site. It’s amazing how much information is passed along with simply browsing a web site. dcwg.org is registered to someone in Cupertino, California.

I found that www.DNS-OK.us will give the same information about whether a system is infected or not. That site is registered to Paul Vixie, whom the article refers to as their consultant. Vixie’s site will give you a green colored screen if you are clear and a red colored screen if you are infected. His site does warn that if your Internet Service Provider (ISP) redirects DNS, the Domain Name System, your computer might pass the test yet still have the infection. It seems that only Windows systems were affected, although ISPs could have been and they’re used by other systems, such as Linux and Mac systems.

After checking Vixie’s site, the easiest way to know if you may yet be infected is to check your DNS server addresses against the FBI’s bad list:

85.255.112.0 to 85.255.127.255 ——–> 85.255.112-127.0-255
67.210.0.0 to 67.210.15.255 ———–> 67.210.0-15.0-255
93.188.160.0 to 93.188.167.255 ——–> 93.188.160-167.0-255
77.67.83.0 to 77.67.83.255 ————> 77.67.83.0-255
213.109.64.0 to 213.109.79.255 ——–> 213.109.64-79.0-255
64.28.176.0 to 64.28.191.255 ———-> 64.28.176-191.0-255

For those who do not know about Internet Protocol (IP) addresses, notice that they contain four numbered parts with periods separating each part, sometimes called a dotted list. Each part will be a number in the range 0 to 255 inclusive. On the right I have denoted them as dotted range lists. For instance, if the first two or three dot-separated numbers, e.g., 85.255 or 77.67.83, do not match your DNS numbers then you are clear. If any in the bad list do match, the rest of the entry shows the ranges of the bad numbers. For instance, if your DNS server number starts with 85.255, then the third number must be between 112 and 127 inclusive to be a match in the bad list. If that third number matches then the fourth number is a guaranteed match.

Windows users can find out their DNS server IP addresses by opening the Start menu and selecting the Run option in the list. Type “cmd” and press ENTER. A window running cmd.exe will open. At the command prompt type “ipconfig /all” and press ENTER. At the end of the output will be a list of DNS Servers. Check the DNS IP address numbers against the bad list. One address could be the router’s address, typically beginning with 192.168. If that’s in the list of server addresses, you may have to login to your router to see what it denotes as its server. The router connects to the ISP, which does the real Internet access.

To check the DNS server that your ISP gave your router, login to the router. Start a web browser, click your mouse pointer in the location box, erase whatever is already in there, and type the IP address that ipconfig showed as the “Default Gateway.”

The router’s web page may prompt for your router’s login name and password. If you did not change the login info from the initial settings that came from the router manufacturer, shame on you! Those names and passwords are documented and well known to system crackers — check your router’s manual. That would be the way someone could have changed yours. Enter your name and password and check your DNS Server’s IP address against the bad list.

If the router’s DNS address is on the bad list call your ISP’s technical support immediately. Should you get the red screen on Paul Vixie’s site instead of the green, or one of your own system’s DNS address is on the bad list, you may have to reformat your disk drive, reinstall your operating system, all your software, and your data files. You should have a backup of your important files stored somewhere so that reinstalling is merely an inconvenient, time-consuming pain, but you are not left out in the cold. Be careful of a simple restore of your entire operating system from your backup because you may have backed up the infected system and you would just reinfect it with the restore. Safest to start from scratch. Install from your operating system and various programs you use from manufacturer’s disks.

If you’re not familiar with these operations, consider consulting a friend, relative, or neighbor who is familiar or contracting with a computer professional to help. – Larry R.