Newest Zlob trojan alters DNS records on your (wireless) router

The newest variant of the Zlob trojan, currently seen packed as the video codec ' DVDAccess', is able to change the DNS records on your router.
This means that this piece of software can give you the impression you are visiting your PayPal/bank site (for instance) but in reality you are visiting a fake bank site created by 'the bad guys'.
Because this malware does not mess with your computer/notebook but changes settings in your (wireless-) router/modem/gateway, cleaning your computer/notebook after infection will not be enough.
You will also have to reset your (wireless-)router.

The single most important thing to prevent the new Zlob wreaking havoc, is to change the standard username and password of your router. Do it!
And of course to have your AV-program up-to-date.
Zlob tries to 'guess' the username&password with it's build-in list of standard usernames and passwords.
If you have a router username and password something like ' ^&%$^$:""{{<>¤¼½¾‘€*L564GC', this Zlob variant can do you no harm.

Moral of the story; Don't use a standard username and password on your router.
Source link

Cheers.

 

Hi.

you might want to run DetectBadDNS10.exe a couple of times on the first go it said my system was ok, but on the second and subsequent tests it failed.

regards

John.

 

Did the program fail to start or did you get an IP address for the non-existing domain?
(I´ve run it more than a dozen times and no fails.... )

 

Hi.

So, I have a bad DNS how do i fix it, I have changed my password to a 10 digit random number and it still fails the DetectBadDNS10.exe test?

Regards

John.

EDIT : I got an ip address, I have an NETGEAR DG834GT ROUTER.

 

Run an online scan of your notebook or computer with either BitDefender, Kaspersky or Norton.
After completing the scan, reset the router to default configuration and then change the standard username and password.
Cheers.

 

Hi.

I have done a full reset to default and install a new password, but i still get the same BAD DNS error.

Regards

John.

 

Thank god i decided to use a 14 character A grade password for my router...but now i feel like upping it to 64 A+ grade hexadecimal characters just to be safe even though i can't get Windows viruses...

 

Mmmm, the IP addresses you get are from BareFruit LTD, if I check with WhoIs DomainTools; link.
They seem to make software for ISP's that "improve the consumers browsing experience and enhance revenues for ISP's". Apparantly every random IP address is handled with their software by your ISP'. (As far as I can figure it out)
Their blacklist status is clear, so I guess it's a fault in the SpamHaus blacklist used by "DetectBadDNS10.exe".
I'll contact those guys from SurfRight and ask them if their program can rely on that SpamHaus list.

In the meantime I'll remove the link to that program.

 

Hi.

So did you try the DetectBadDNS10.exe program!

Regards

John.

 

Be sure to check that your router will accept special characters. My D-link DSL-2640b (DSL modem & wireless router) has a glitch that prevents their use. If I set the password it will use it, but if there is a power failure or if a "save & reboot" is attempted the unit loads defaults, losing everything including the DSL login info. The same glitch occurs if specails are used in the WPA2 key. It will use them, but wont survive a reboot with them.

 

Nope i can't, i don't use Windows.

 

You know this is weird but when I tried downloading the new Divx codec from the official the website Avast picked up a Trojan. I backed out of it when Avast recognized a threat.

Stupid me as I didn't make a note of what it found. I just had it delete the threat. I'm hoping it was just a false positive.

Since this thread has made us aware of this new trojan i've run Windows Defender and Avira and it hasn't found any threats. I also have UAC enabled but nothing has come up as a problem.

 

I posted before on this specific Avast/Divx download issue;

" Probably a false positive and probably because the Divx package contains the DivXComponent.exe (part of the Divx installer) which has previously been flagged as a trojan by Avira AntiVir.

You can download the Divx package by pausing the Web Shield in Avast for the duration of the download, put it back on after finishing the download.
When you have finished the download, check the Divx package with a couple of online scanners to be sure/for ease of mind.
I doubt the Divx servers have been hacked or something but better be safe then sorry. Online scanners can be found in my sig link/sticky.
Cheers."

I don't think your Avast warning has anything to do with the new Zlob variant.
However, you could upload the Divx file to VirusTotal to have it checked quickly with 30+ AV programs.
Cheers.

 

where to find "DetectBadDNS10.exe" ?
thanks

 

Hi.

I had the same thing, I posted a couple of days ago.

http://forum.notebookreview.com/showthread.php?t=260360

Regards

John.