LINUX GURU: March 2010

Backdoor.Win32.BO.a

Aliases

Backdoor.Win32.BO.a (Kaspersky Lab) is also known as: Backdoor.BO.a (Kaspersky Lab), Orifice.svr (McAfee), W32.HLLP.Clay.dr (Symantec), BackDoor.BOrifice (Doctor Web), Troj/Orifice-A (Sophos), Backdoor:Win32/BOClay (RAV), BKDR_BO.58880 (Trend Micro), Boserve-01 (H+BEDV), W32/Back_Orifice.124928 (FRISK), Win32:Trojan-gen. (ALWIL), BackDoor.BackOrifice (Grisoft), Backdoor.BackOrifice.A (SOFTWIN), Trojan.Bo (ClamAV), Trj/BOr (Panda), Back_Orifice.Dropper (Eset)

Description added	Feb 20 2002
Behavior	Backdoor

Technical details

This Trojan (also known as Back Orifice Trojan) is a network-administration utility that allows for the controlling of computers on the network. "'Back Orifice' is a remote administration system, which allows a user to control a computer across a tcpip connection using a simple console or gui application. On a local line or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine has," reads the advertising banner on a distribution Web-site.
The only feature classifying this utility as malicious Trojan software is the silent installation and execution. When this program is run, it installs itself into the system and then monitors it without any requests or messages. If you already have it installed on your computer, you cannot find this application in the task list. The Trojan also does not indicate its activity in any way.
The Trojan is distributed in a package of several programs and documentations. All programs in a package were written in C++ and compiled by Microsoft Visual C++ compiler. The date stamp on the EXE files that we have displays that all files in the package were compiled from the end of July through the first week of August 1998. All the programs in the package have Portable Executable formats and can be run under Win32 only.
The main executable in a package is the BOSERVE.EXE file that might be found with different names on an infected computer. This is the Trojan itself. It is the "server" part of the Trojan that might be summoned by clients from a remote computer.
The second file is the BOCONFIG.EXE utility that can configure the server as well as attach it to other executable files in the same style as viruses do. While attaching (infecting), the host file is moved down and the Trojan code is placed at the top of file. When "infected" files are run, the Trojan extracts the original file image and spawns it without any side effects.
There are two "client" parts of the Trojan (console and window), and they operate with the "server" from a remote computer. Two other executable files in a package are used by the Trojan while compressing/decompressing files on the "server".
When the Trojan is executed on the computer, it first of all detects its status: is it the original Trojan code or attached to some host file, i.e., modified by the BOCONFIG.EXE utility. In this case, the Trojan locates the customized options in the host file and reads them.
The Trojan then initializes the Windows sockets, creates the WINDLL.DLL file in the Windows system directory (this file is stored as a resource in the Trojan), then obtains several KERNEL32.DLL APIs addresses for future needs, searches for a Trojan process already run and terminates it (upgrades the Trojan process), copies itself to the Windows system directory and registers this copy in the system registry as the auto-run service:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Creates a TCP/IP datagram socket, assigns a port number 31337 (by default) to this socket and opens this port for listening. The Trojan then runs standard Windows DispatchMessage loop, i.e., stays in Windows memory as a process with a hidden attribute (it has no active window and is not visible in task manager).
The main Trojan routine then listens for commands from the remote client. The commands travel in encrypted form and start with the "*!*QWTY?" (without " characters) ID-string.
Depending on the command, the Trojan is able to perform a set of actions:

obtain and send computer name, user name and system info: processor type, memory size, Windows OS version, installed drives and free space on them;
share selected drives;
list disk contents or search for a specific file;
send/receive files (read and write them), as well as delete, copy, rename and run them (including updating itself);
create/delete directories;
compress/decompress files;
log off current user;
halt the computer;
enumerate and send active processes;
enumerate and connect to network resources;
terminate selected process;
obtain and send cashed passwords (passwords that were used during current session), then look for the ScreenSaver password (decrypt and send them);
display message boxes;
access the system registry;
open and redirect other TCP/IP sockets;
support HTTP protocols and emulate the Web-server, so one may access the Trojan by Web browser;
play sound files;
hook, store and send keyboard input while the user is logging in (see below).

While installing into the system, the Trojan creates the WINDLL.DLL file (it keeps this file image in its resources). In case of need, the Trojan loads this DLL into the memory and initializes it, the DLL then hooks the keyboard and console (device console) input and stores the hooked data to the BOFILEMAPPINGKEY and BOFILEMAPPINGCON files that are then available for the main Trojan routine.
The Trojan can also expand its abilities by using plug-ins. They can be sent to the "server" and installed as the Trojan's plug-in. The features and main functions (including possible malicious ones) are at its author's discretion.

Backdoor.Throd.a

Aliases

Backdoor.Throd.a (Kaspersky Lab) is also known as: BackDoor-CEV (McAfee), Backdoor.Sysdot (Symantec), BackDoor.Throda (Doctor Web), Troj/BDThr-A (Sophos), Backdoor:Win32/Throd.A (RAV), BDS/Throd.A.2.B (H+BEDV), Win32:BMP-SYS (ALWIL), BackDoor.Throd.A (Grisoft), Backdoor.Throd.A (SOFTWIN), Bck/Throd.A (Panda), Win32/Throd.A (Eset)

Description added	May 13 2004
Behavior	Backdoor

Technical details

Throd is a Trojan that allows a 'master' to use the zombie machine as a proxy server. Throd is written in Delphi for Windows, is about 23 KB in size (about 80 KB unpacked)and comes packed by UPX.

Installation

The Trojan copies itself in the Windows system folder under a randomly combined multi-partite name:

ms
svc
win

16
32
64

mes
prn
reg

"ms16prn.exe", for example.
In order to auto-launch, the Trojan creates a key in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

with one of the following names chosen at random:

MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System

Throd then attempts to connect to several remote servers and onpass ID information, including IP address and so forth, to the virus coder.
Throd accepts commands from the remote 'master' collets email addresses from the MS Outlook address book in to the mseml.dll file and uses an http commands to send them to the same remote sites.
Throd can install and launch random files on command.
Throd also works as a proxy server and is capable of accepting and sending any type of data.

Backdoor.SdBot.gen

Aliases

Backdoor.SdBot.gen (Kaspersky Lab) is also known as: W32/Lolol.worm.gen (McAfee), W32.Spybot.Worm (Symantec), Win32.IRC.Bot.based (Doctor Web), W32/Spybot-CQ (Sophos), Win32/HLLW.SpyBot (RAV), Worm/SpyBot.#3 (H+BEDV), Win32:SpyBot-GEN (ALWIL), Worm/Spybot (Grisoft), Backdoor.SDBot.Gen (SOFTWIN), Trojan.Spybot.gen-3 (ClamAV), W32/Spybot.BE.worm (Panda), Win32/SpyBot.AFL (Eset)

Description added	Aug 21 2002
Behavior	Backdoor

Technical details

This is a family of backdoor malicious programs, which provide the user with remote control over victim machines. This is achieved by sending commands via IRC channels.

Installation

Depending upon the program version, the backdoor either copies itself either to the Windows System directory or to other directories located in the System directory. The program also registers a copy of itself in the system registry, which ensures that it will be executed when Windows is started:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

The registry value will vary according to which version of the backdoor has infected the machine.

Payload

Backdoor.SdBot connects to a range of IRC servers, then connects with a channel that is hard coded into its body. It is then ready to receive remote commands, such as downloading and executing remote files, acting as an IRC proxy server, joining IRC channels, sending messages via IRC, and sending UDP and ICMP packets to remote computers.

Backdoor.Rbot.gen

Aliases

Backdoor.Rbot.gen (Kaspersky Lab) is also known as: IRC-Sdbot (McAfee), W32.Spybot.Worm (Symantec), Win32.HLLW.MyBot (Doctor Web), W32/Rbot-BY (Sophos), Backdoor:Win32/Rbot (RAV), Worm/Sdbot.39936.B (H+BEDV), Win32:SdBot-194-B (ALWIL), IRC/BackDoor.SdBot.28.F (Grisoft), Backdoor.SDBot.Gen (SOFTWIN)

Description added	Aug 06 2004
Behavior	Backdoor

Technical details

Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC, and have the following functions:

monitor networks for interesting data packets (i.e. those containing passwords to FTP servers, and e-payment systems such as PayPal etc.)

scan networks for machines which have unpatched common vulnerabilties (RPC DCOM, UPnP, WebDAV and others); for machines infected by Trojan programs (Backdoor.Optix, Backdoor.NetDevil, Backdoor.SubSeven and others) and by the Trojan components of worms (I-Worm.Mydoom, I-Worm.Bagle); for machines with weak system passwords

conduct DoS attacks

launch SOCKS and HTTP servers on infected machines

send the user of the program detailed information about the victim machine, including passwords to a range of computer games

Backdoor.Perl.AEI.16

Aliases

Backdoor.Perl.AEI.16 (Kaspersky Lab) is also known as: BackDoor-AEI.php (McAfee), Backdoor.Trojan (Symantec), Troj/Bdoor-AEI (Sophos), PERL/AEI.16* (RAV), PERL_AEI.16 (Trend Micro), Perl.Backdoor.RevTunnel.A (SOFTWIN), Backdoor Program (Panda), Perl/AEI.16 (Eset)

Description added	Nov 28 2007
Behavior	Backdoor

Technical details

Payload

Removal instructions

Technical details

This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.

Payload

This Trojan has two parts, a server and a client. The execution depends on the parameters with which the Trojan is launched.
The server part opens a port which is specified in the body of the Trojan. The Trojan waits for a connection to this port and attempts to use the command line interpreter to run all commands received from the remote client.
The client is a shell for sending commands to the server part and for getting service messages.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.Perl.AEI.20

Aliases

Backdoor.Perl.AEI.20 (Kaspersky Lab) is also known as: BackDoor-AEI.php (McAfee), Backdoor.Trojan (Symantec), Troj/Bdoor-AEI (Sophos), PHP/RevTunnel.20* (RAV), PHP_REVTUNNEL.A (Trend Micro), Perl/AEI.20 (H+BEDV), Unix/Aei.trojan (FRISK), UNIX:Malware (ALWIL), Perl.Backdoor.RevTunnel.A (SOFTWIN), Backdoor Program (Panda), PHP/RevTun.20 (Eset)

Description added	Nov 28 2007
Behavior	Backdoor

Technical details
Payload
Removal instructions

Technical details

This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 14KB in size.

Payload

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.PHP.C99Shell.w

Detection added	Sep 12 2007 10:29 GMT
Description added	Aug 04 2008
Behavior	Backdoor

Technical details

Payload

Removal instructions

Technical details

This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 229051 bytes in size.

Installation

This backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.

Payload

This backdoor is designed to provide remote, unauthorised administration of web servers. When the backdoor is launched, the malicious user is shown the backdoor interface:

The backdoor is able to conduct the following actions on the remote server:

provide full access to files on the hard disk

Calculate a range of hashes for strings

launch the command interpreter and bind its standard input/ output to a specific TCP port

bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)

view a list of processes launched on the server

execute random PHP code

download/ upload files from/to the server

search the server's hard disk for files with specific content

manage mysql databases (view/ create/ edit databases/tables)

run shell commands

scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)

delete the copy of itself from the server hard disk on command

create a user account without password

view active users in the system

delete records of its own activity from Apache server logs

exploit a range of Linux kernel and bash command interpreter vulnerabilies

run via the proxy server shown below

http://*****faced.org/proxy/index.php?q=

hiding the address of the remote malicious user.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.PHP.C99Shell.an

Detection added

Jun 16 2008 02:05 GMT

Update released

Jun 16 2008 06:12 GMT

Description added

Oct 20 2008

Behavior

Backdoor

Technical details

This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 149170 bytes in size.

Installation

Payload

This backdoor is designed to provide remote, unauthorised administration of web servers. When the backdoor is launched, the malicious user is shown the backdoor interface:

The backdoor is able to conduct the following actions on the remote server:

provide full access to files on the hard disk

calculate a range of hashes for strings

launch the command interpreter and bind its standard input/ output to a specific TCP port

bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)

View the list of processes launched on the server

execute random PHP code

download/ upload files from/to the server

search the server's hard disk for files with specific content

manage mysql databases (view/ create/ edit databases/ tables)

run shell commands

scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)

delete the copy of itself from the server hard disk on command

create a user account without password

view active users in the system

delete records of its own activity from Apache server logs

Patches

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.Netbus

Aliases

Backdoor.Netbus (Kaspersky Lab) is also known as: NetBus.reg (McAfee), Troj/NetBus-REG (Sophos), REG_NETBUP.A (Trend Micro)

Description added	Feb 21 2002
Behavior	Backdoor

Technical details

This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan. It allows to administrate infected computers from a remote console, to steal files, to damage installed software etc. See Backdoor.BO Trojan.

Backdoor.Agobot.gen

Aliases

Backdoor.Agobot.gen (Kaspersky Lab) is also known as: W32/Gaobot.worm.gen.d (McAfee), W32.HLLW.Gaobot.gen (Symantec), Win32.HLLW.Agobot.3 (Doctor Web), W32/Agobot-BV (Sophos), Win32/Gaobot.gen! (RAV), WORM_AGOBOT.RM (Trend Micro), Worm/Sdbot.39936.B (H+BEDV), Win32:Gaobot-268 (ALWIL), Worm/Agobot (Grisoft), Backdoor.Agobot.3.Gen (SOFTWIN)

Description added	Jan 09 2004
Behavior	Backdoor

Technical details

This is a classical backdoor and allows a 'master' to control the victim machine remotely by sending commands via IRC channels.

Installation

Agobot copies itself into the Windows directory under random names and then registers itself in the system registry auto-run keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

Manifestations

Agobot connects to various IRC servers opening channels identified in the body of the worm. It is then ready to receive commands from the 'master', who can now download and launch files on the victim machine, scan other computers for vulnerabilities and install itself on these vulnerable machines.

Trojan Programs

Trojans can be classified according to the actions which they carry out on victim machines.

Backdoors
General Trojans
PSW Trojans
Trojan Clickers
Trojan Downloaders
Trojan Droppers
Trojan Proxies
Trojan Spies
Trojan Notifiers
ArcBombs
Rootkits

Backdoors

Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.
The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user's knowledge; often the backdoor will not be visible in the log of active programs.
Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open. Backdoor functions can include:

Sending/ receiving files
Launching/ deleting files
Executing files
Displaying notification
Deleting data
Rebooting the machine

In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.
Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

General Trojans

This loose category includes a variety of Trojans that damage victim machines or threaten data integrity, or impair the functioning of the victim machine.
Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.

PSW Trojans

This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. It will then be retrieved by the 'master' or user of the illegal program.
Some PSW Trojans steal other types of information such as:

System details (memory, disk space, operating system details)
Local email client
IP-address
Registration details
Passwords for on-line games

Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups because they are so numerous.

Trojan Clickers

This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:

To raise the hit-count of a specific site for advertising purposes
To organize a DoS attack on a specified server or site
To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)

Trojan Downloaders

This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.
The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location.

Trojan Droppers

These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.
Droppers are normally structured in the following way:

Main file
contains the dropper payload

File 1
first payload

File 2
second payload

...
as many files as the coder chooses to include

The dropper functionality contains code to install and execute all of the payload files.
In most cases, the payload contains other Trojans and at least one hoax: jokes, games, graphics and so forth. The hoax is meant to distract the user or to prove that the activity caused by the dropper is harmless, whereas it actually serves to mask the installation of the dangerous payload.
Hackers using such programs achieve two objectives:

Hidden or masked installation of other Trojans or viruses
Tricking antivirus solutions which are unable to analyse all components

Trojan Proxies

These Trojans function as a proxy server and provide anonymous access to the Internet from victim machines. Today these Trojans are very popular with spammers who always need additional machines for mass mailings. Virus coders will often include Trojan-proxies in Trojan packs and sell networks of infected machines to spammers.

Trojan Spies

This family includes a variety of spy programs and key loggers, all of which track and save user activity on the victim machine and then forward this information to the master. Trojan-spies collect a range of information including:

Keystrokes
Screenshots
Logs of active applications
Other user actions

These Trojans are most often used to steal banking and other financial information to support online fraud.

Trojan Notifiers

These Trojans inform the 'master' about an infected machine. Notifiers confirm that a machine has been successfully infected, and send information about IP-address, open port numbers, the email address etc. of the victim machine. This information may be sent by email, to the master's website, or by ICQ.
Notifiers are usually included in a Trojan 'pack' and used only to inform the master that a Trojan has been successfully installed on the victim machine.

Rootkits

A rootkit is a collection of programs used by a hacker to evade detection while trying to gain unauthorized access to a computer. This is done either by replacing system files or libraries, or by installing a kernel module. The hacker installs the rootkit after obtaining user-level access: typically this is done by cracking a password or by exploiting a vulnerability. This is then used to gather other user IDs until the hacker gains root, or administrator, access to the system.
The term originated in the Unix world, although it has since been applied to the techniques used by authors of Windows-based Trojans to conceal their actions. Rootkits have been used increasingly as a form of stealth to hide Trojan activity, something that is made easier because many Windows users log in with administrator rights.

ArcBombs

These Trojans are archived files coded to sabotage the de-compressor when it attempts to open the infected archived file. The victim machine will slow or crash when the Trojan bomb explodes, or the disk will be filled with nonsense data. ArcBombs are especially dangerous for servers, particularly when incoming data is initially processed automatically: in such cases, an ArcBomb can crash the server.
There are three types of ArcBombs: incorrect header in the archive, repeating data and a series of identical files in the archive.
An incorrect archive header or corrupted data can both cause the de-compressor to crash when opening and unpacking the infected archive.
A large file containing repeating data can be packed into a very small archive: 5 gigabytes will be 200 KB when packed using RAR and 480 KB in ZIP format.
Moreover, special technologies exist to pack an enormous number of identical files in one archive without significantly affecting the size of the archive itself: for instance, it is possible to pack 10¹⁰⁰ identical files into a 30 KB RAR file or a 230 KB ZIP fil

Protect your computer from hackers!

Protect your computer from hackers! Learn how to prevent yourself from being a victim and a distributor of computer email viruses and worms. Take these simple precautions:

NEVER open an attachment in an email UNLESS you are sure you understand what it is and why it's been sent to you. When in doubt, delete. You can always write back to the person who sent it and ask if they intended to send an attachment and to please explain what it was and then resend it. Most viruses are triggered by unwitting victims opening an attachment.
INSTALL PROTECTION SOFTWARE -- NOW! Once you have it, you will help stop the spread of viruses. If you don't have it, you will sooner or later regret leaving yourself so vulnerable. It is absolutely worth the money spent for it! (See the list of anti-virus software on the right.)
BLOCK PORN and other spam, as well as viruses, with a program called MailWasher Pro. For a very low price, MailWasher will look inside your mailbox before you run your email program, identify the porn and spam and viruses, and delete it for you. It will even help you fight back by sending a bounce message that tells the spammer that your address is invalid (so that it's removed from their mailing list). Then you can safely open your email.
Find out what's NOT a virus and don't clog up the internet spreading false alarms. When you get word of a virus, take a minute to check it out first, before forwarding the message to others and embarrassing yourself. Here's a great site for this research:
urbanlegends.miningco.com/library/blhoax.htm
BEWARE OF SPIES, HACKERS & KEY LOGGERS!
There are programs that can spy into your computer. It happens when people download a program (such as a game) that comes bundled with "Sputnik" or "VX2" or another brand of spyware. It installs itself silently on your computer and then monitors your "clickstream" as you navigate around the web, sending information about your activities (including credit card numbers!), back to the originator. Disclaimers claim that credit card info will not be used (sooo -- why get it then?)

To make matters worse, there seems to be a connection between this and an increase of popup ads while surfing the Internet!
You can tell if you're infected with VX2 by searching for the "VX2.dll" file on your system. Instructions for uninstalling the software are located at http://www.vx2.cc
Always be careful about what you download. Is it from a trustworthy software manufacturer? But since "trust" is only a guess, the best advice is to extend your anti-virus protection to include anti-spyware (to block your personal information from being taken without your permission), anti-hacker-tools (to prevent hijackers from accessing your PC), anti-key-loggers (to safeguard your passwords and other private stuff) and anti-worms (to hack away at hacker tools that can exploit your computer even after they're gone).

Google Public DNS Servers Launched

Today, Google has announced the launch of their free DNS resolution service. Many ISPs and 3rd party provider such as OpenDNS snoops around or send traffic to ad servers. However, Google promises not to play with end users and send the exact response his or her computer expects without performing any blocking, filtering, or redirection that may hamper a user's browsing experience. In other words Google will not hijacking your traffic on non-existent domain name and it will follow strict RFC standard.

From the blog post:

The DNS protocol is an important part of the web's infrastructure, serving as the Internet's "phone book". Every time you visit a website, your computer performs a DNS lookup. Complex pages often require multiple DNS lookups before they complete loading. As a result, the average Internet user performs hundreds of DNS lookups each day, that collectively can slow down his or her browsing experience.

Google DNS Server IP Addresses

The Google Public DNS IP addresses are as follows:

8.8.8.8

8.8.4.4

How Do I Add Google DNS Server IP Address Under Linux?

Simple edit the /etc/resolv.conf file and add above two ip address:

nameserver 8.8.8.8
nameserver 8.8.4.4

Google DNS Server vs Your ISP Server

CDN servers will not work correctly and they will return a list close to Google's DNS servers.
host i.dell.com 8.8.8.8
Sample outputs:

Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

i.dell.com is an alias for img.dell-cidr.akadns.net.
img.dell-cidr.akadns.net is an alias for ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net.
ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net is an alias for a1058.g.akamai.net.
a1058.g.akamai.net has address 203.106.85.169
a1058.g.akamai.net has address 203.106.85.170

203.106.85.169 & 203.106.85.170 located somewhere in KUALA LUMPUR.
host i.dell.com 202.56.250.5

Using domain server:
Name: 202.56.250.5
Address: 202.56.250.5#53
Aliases: 

i.dell.com is an alias for img.dell-cidr.akadns.net.
img.dell-cidr.akadns.net is an alias for ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net.
ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net is an alias for a1058.g.akamai.net.
a1058.g.akamai.net has address 122.166.109.9
a1058.g.akamai.net has address 122.166.109.11

122.166.109.9 & 122.166.109.11 located in India. This also applies to NTP pool servers.

Speed

Ping-pong timings:

Ping times (ISP dns servers) - 20ms
Ping times (Google dns servers) - 116ms
Ping times (OpenDNS servers) - 190ms

Resolving timings (use dig @dns-server.address domainname.com):

ISP DNS Server - 41 msec
Google DNS Server - 262 msec
OpenDNS server - 213 msec

In other words I will use my ISPs server instead of Google or OpenDNS due to speed issue and incorrect handling of CDN servers. If you own a small LAN, I recommend setting up a caching dns server called dnsmasq.