The famous DNS virus!
Sent: Dienstag, 10. Juni 2003 09:41
To: Richard Priest
Subject: Re: Possible Virus from your domain.
On Mon, 9 Jun 2003, Richard Priest wrote:
>> We are an Internet Service Provider in the UK.
>> I have received a call from one of our customers regarding a program.
>> (which we are unable to trace on his machine using various anti-virus
>> software and looking through the current tasks running in windows)
>> The program seems to try and connect to the internet, and sends a data
>> packet to the following IP: 220.127.116.11 to port 53.
>> If you have any knowledge of this program or its creator, please do
>> hesitate to email me back with a resolution.
>> Thank You
>> Richard Priest
>> Technical Support
>> Cobweb Solutions Ltd
The virus you described is called DNS (Domain Name Service).
It was invented by (a bad guy) called Paul Mockapetris in the mid-80's and
first time very well described in:
and later even standardized:
Finally, someone made an effort to compile a nice history of it:
It really uses UDP - port 53 (for sending evil NS queries and NS replies)
and TCP - port 53 (for zone transfers).
The virus itself causes a strange disease, making people to type strange
names like "www.microsoft.com", "www.cobweb.co.uk" instead
of nice and
neat numbered addresses (like 18.104.22.168, 22.214.171.124 and so on).
It was partly responsible for the dot.com revolution in the mid-90's,
althought its effects on the disaster of the dot.com industry are not
To get familiar with the virus and the disease, I'd recommend you to read
the following RFC documents: 1034, 1035, 1537, 2181, 2929, 3090 and 3467,
as well as a good book: