That was great!
Mark | 11.07.07 - 3:25 pm | #

Interesting video, and I meant to ask this the last time... Why would a change to the DNS affect only IE and not Firefox? Shouldn't a DNS change affect everything?
dean | 11.07.07 - 3:51 pm | #

Dean,

Good question. In the full video - http://www.sunbelt-software.com/.../ dnschange2.wmv - you will see that helper executable is also installed in addition to the DNS server modification.

This component is responsible for monitoring what you click on the search engine, relaying that back to the control server and then re-directing you to the webpage of their choice (which typically is advertising related to what you were attempting to originally search for).
Adam Thomas | 11.07.07 - 5:07 pm | #

Also, I forgot to answer your original question.

At the time, the malware wasn't designed to work with FireFox. However, times change and it does now.
Adam | Homepage | 11.07.07 - 5:34 pm | #

Thanks Adam!
dean | 11.07.07 - 8:03 pm | #

uem, if I click the link - it gives me:

about:://sunbeltblog.blogspot.com/2007/04/movie- time-dns-changer-trojan.html

"Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable."

I just deleted the "about::" bit myself, but is it just me or is the link itself broken?

Got to check again tonight, no player installed here at work
Yourhighness | Homepage | 11.08.07 - 8:43 am | #

fixed
alex eckelberry | 11.08.07 - 9:16 am | #

Go Process Explorer!!!!

:D
Aaron | 11.08.07 - 7:33 pm | #

I tried this malware myself, it uses these processes:
SWARE.EXE (Proc. ID - 3912)
SYSMONMS.EXE (I guess it's the one who displayes the Your Computer is Infected alert) (Proc. ID - 2952)
cmd.exe (Proc. ID - 2616)
and Alcmtr.exe (Proc. ID - 2136)
It was quite fun making the fixer for this trojan.
Good job Alex and Adam!
Xeydo | 11.09.07 - 2:43 am | #