So at work today we had a virus outbreak. Yay my first one. Luckily, we contained it really fast before it could spread too badly. Anyway, what was happening is that malware on infected PCs was running a rouge DHCP server and handing out poisoned DHCP information. By "poisoned" I mean that it will set the DNS server to a fake one. So clients that grab addresses from DHCP might pick up an address from the rogue DHCP server and any web browsing will show a page asking you to update your browser to view the page content. If you do that of course you are installing more virii. Machines exhibiting the behavior aren't necessarily infected; they just might have the poisoned DHCP information. As long as no one clicks that "Browser Update" button, they are fine. The solution is to block outbound traffic at your Internet gateway to the fake DNS servers 188.229.88.7 and 188.229.88.8 (reported so far) and to find the compromised PC which can be found via the Rogue DHCP Server Finder tool or just by looking at ipconfig /all on a computer with a poisoned record and noting the IP address of the DHCP server there.
The main reason I'm posting this here is that there are reports of a variant that is able to change settings on common routers/firewalls to do basically the same thing as the infected workstations: give out bad DNS information. It does this by exploiting default administration password settings. If any of you are running your router with the default settings, you probably should set a complex password on there right away. If you can change the username, I suggest changing that as well.
If your router gets infected, it should be factory reset and set up from scratch. There is no known way to clean the infected machines yet, so a complete wipe with something like dban and then a reinstall of the operating system is recommended. If system images are available, that would be faster.
