Hijacking of www.winvideo.net site using HOST file in Windows
Saturday, October 3rd, 2009Warning!
We received notice that some WinVideo customers are experiencing system crashes or WinVideo does not start and or cannot access to the news section, SMS, database, etc.. and also the navigation on the following sites is denied:
http://www.winvideo.net
http://www.miditel.net
http://www.wvideo.net
http://www.ckware.com
We immediately connected to one of these systems and we found that:
A change was made to a Windows system file by a malware (virus) or by human person connected remotely deliberately blocking the activities of WinVideo and relate modules including internet booking forms.
Moreover, this change can cause a serious loss of data and safety because the calls are hijacked to a not authorized server gathering private informations.
How to check whether your system is affected
From Windows, press START button, then “Execute” and type in this command:
For those with Windows XP / Vista:
notepad "C:\WINDOWS\system32\drivers\etc\hosts
For those with Windows 2000:
notepad C:\WINNT\system32\drivers\etc\hosts
If the file contains “www.winvideo.net” and / or “www.miditel.net“, it means that your system is hijacked.
Technical details of the hijacking
For technical detail, we point out that the Windows Hosts file (which contains such “hijacking”), was modified as follows:
213.21.156.137 www.miditel.net 213.21.156.137 www.winvideo.net 213.21.156.137 www.ckware.com 213.21.156.137 www.wvideo.net 213.21.156.137 89.98.255.40
In practice, any call to www.winvideo.net site, is rerouted to IP address 213.21.156.137 which effectively blocks the activity of itself and cause WinVideo blocks system (and could gather persona informations). Anyway WinVideo detects an hijacking and stop activities.
Symptoms
From WinVideo or from the same computer where you installed WinVideo (or on your server) if browsing http://www.winvideo.net and orĀ this forum: http://forum.winvideo.net system hangs or displays a blank page.
Effects
This “hijacking” has the following effects:
1) Block sending and receiving SMS
2) Blocking updates WinVideo and its backup
3) Risk of exposure to the other system trying to take total control of your computer
4) Errors on file transfers blocks and possible block of your dispensers
Lawsuits
For the moment we are not yet able to determine whether the problem was caused by a virus targeted by a remote link or a human person.
In any case, such behavior is liable to a criminal complaint for invasion of privacy to judiciary, unauthorized intrusion into their systems, unauthorized modification of files. We therefore suggest to every customer to make immediate complaint against unknown persons for violation of privacy to allow the investigation (together with us) to identify the responsible for the attempt to block your and our business.
Please be informed on this matter that is not a WinVideo problem but a problem of hacking a Windows file (2000, XP, Vista, etc..)
Reinstatement
Our team offers for free to cancel the hijacking: please call this number: +39-010-55.30.491 or email us immediatelly.
Otherwise, ask to your techincian to clean up the Windows HOSTS file.
Prevention
Once again we point out the urgent need to eliminate the remote access software (pcAnywhere, VNC) from all the PCs exposed to the internet because anyone could access and create irreparable damages.
Or, if not possible, change the connection passwords each time a remote access is done by someone authorizec by you.
---
