The famous DNS virus!

From: xxxxx
Sent: Dienstag, 10. Juni 2003 09:41
To: Richard Priest
Cc: noc@xxxx
Subject: Re: Possible Virus from your domain.

On Mon, 9 Jun 2003, Richard Priest wrote:

>> Hello,
>> We are an Internet Service Provider in the UK.
>> I have received a call from one of our customers regarding a program.
>> (which we are unable to trace on his machine using various anti-virus
>> software and looking through the current tasks running in windows)
>> The program seems to try and connect to the internet, and sends a data
>> packet to the following IP: to port 53.
>> If you have any knowledge of this program or its creator, please do not
>> hesitate to email me back with a resolution.
>> Thank You
>> Richard Priest
>> Technical Support
>> Cobweb Solutions Ltd

Hi Richard,

The virus you described is called DNS (Domain Name Service).

It was invented by (a bad guy) called Paul Mockapetris in the mid-80's and
first time very well described in:

and later even standardized:

Finally, someone made an effort to compile a nice history of it:

It really uses UDP - port 53 (for sending evil NS queries and NS replies)
and TCP - port 53 (for zone transfers).

The virus itself causes a strange disease, making people to type strange
names like "", "" instead of nice and
neat numbered addresses (like, and so on).

It was partly responsible for the revolution in the mid-90's,
althought its effects on the disaster of the industry are not
very clear.

To get familiar with the virus and the disease, I'd recommend you to read
the following RFC documents: 1034, 1035, 1537, 2181, 2929, 3090 and 3467,
as well as a good book: