This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alureon virus on a Mac?

My daughter has an iMac running OSX 10.6.8 and has been notified by Comcast that she has the "Alureon" virus.  I don't think that is possible as I understand that it is a Windows virus, but Comcast insists that it is her problem and she should contact her anti-virus software support.  Whenever she tries to use the internet a Comcast popup appears with the notice.. it can't be closed and she is unable to use any web pages.  She has no Windows software on her machine at all.  Could the issue be with the modem?  I'm grasping straws here.  Advice???? 

:1005389


This thread was automatically locked due to age.
  • There's a lot of history behind this one...

    Usually, when ISPs put up an alert saying that someone is infected with the Alureon Virus, they are in fact responding to the fact that the customer's computer is using a DNS server that, prior to a takedown by the FBI and Microsoft, belonged to the malware authors that created Alureon, DNSChanger, RSPlug (which is what infected Macs), and a number of other pieces of Mac and Windows malware.

    This link should shed some more light on the situation: http://nakedsecurity.sophos.com/tag/rsplug/

    This one may also help: http://www.dcwg.org/

    While Comcast's message was decidedly Windows-centric and unhelpful in this situation, a fix is definitely necessary.  The first step is to verify that the iMac is not infected with malware, specifically OSX/DNSChanger, OSX/RSPlug, or OSX/Jahlav variants.

    The second step is to go into System preferences->Network and verify that the DNS Servers listed belong to your network router (192.168.x.x or 10.x.x.x), your ISP (the IP address should be similar to your outbound IP address) or some trusted DNS server (Such as, for example, 8.8.8.8 for Google DNS).

    Once the DNS information has been fixed, Comcast's alert should go away.  All they are doing is intercepting DNS requests headed for known-bad DNS servers and returning an error instead.  Since the FBI is going to be taking those servers offline shortly (they've been running them with the help of Microsoft themselves for the past six months), this informative message is definitely an improvement on the sudden unexplained loss of service that your daughter would otherwise experience when the servers go offline.

    As an addendum, if her iMac's DNS settings are pointed to get their information from your modem, it is possible that the modem has been modified to use the previously malicious DNS servers.  You'll need to use the web interface for administering your modem to verify that it is using trusted DNS servers from your ISP or some other source.

    :1005451
  • A customer of mine got the comcast email but doesnt have anything funky going on like pop ups or redirects but he did say the following (any help on this would be very apprecuated).

    Shaun, It is not the primary icon "Network" grayed out, but the boxes in the subsidiary levels "Network setup"- Ethernet connected-DNS Server & Search Domains.

                The Comcast techie I first dealt with had me do a Safe Reboot but the result no diagnosis and no remedy. That's when he recommended a house call.

                I just did a "Repair Permissions" and a Virus Scan with Norton AntiVirus for Mac.  Nothing.

    :1005569
  • There will be no popups or redirects as the name servers are currently managed by the FBI, who aren't interested in doing such things.  Soon they will be taking the servers offline, at which point name resolution will no longer work for anyone affected (most internet requests will just time out or return errors).

    The fix is to revert the DNS IPs to those managed by a legitimate network authority (like your local router or ISP).

    DNS Server is almost always grayed out in the Ethernet pane.  You need to click the Advanced... button, click the DNS tab, and click the + button under DNS Servers to add in servers other than those provided by the DHCP host.

    If it's the DHCP host's default DNS servers that are triggering the Comcast alert, then the problem isn't with the computer, it's with the device providing DHCP -- likely the router.  This will need to be accessed via admin mode, and told to automatically use the DNS IPs provided by its DHCP connection with the ISP gateway servers.

    :1005571
  • As follows per customer

    Shaun,
         For what it's worth, the DNS Server Settings are: 75.75.75.75.  75.75.76.76 (grayed out).

    Well, I looked into what those settings should be with Comcast Agile and they are as follows

    Comcast's DNS Servers (DNSSEC-Validating)

    Geographic LocationPrimary DNSSecondary DNS
    National DNS Servers / Anycast - IPv475.75.75.7575.75.76.76
    National DNS Servers / Anycast - IPv62001:558:FEED::12001:558:FEED::2

    It what they are suppose to be I would assume. I don't think the guy has a problem but I did tell him to call Comcast and have them look into their router and make sure those settings were correct.

     He also stated this in a reply email

    "I know I can delete the greyouted  DNS numbers in Network".

    I'm starting to think there is nothing wrong.

    :1005579