----- Original Message ----- From: "Kevin Gerry" <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 4:01 AM Subject: [Full-Disclosure] Windows hosts file changing.
> Does -ANYBODY- know how it occurs? > > I've had this happen to a couple boxes of mine now... > > New one: > -- > 127.0.0.1 localhost > 66.40.16.131 livesexlist.com > 66.40.16.131 lanasbigboobs.com > 66.40.16.131 thumbnailpost.com Perhaps a variant of the QHosts virus which just exploits an IE vulnerability. Perhaps not even a "virus" per say. (It's kind of sketchy anyways to call Qhosts a virus.) Perhaps a user got an email and clicked on the URL and it sent them to a site that took advantage of their IE not being patched. http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html http://vil.nai.com/vil/content/v_100719.htm The MS03-040 patch addresses this type of attack on a system. -Josh -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
