Google Groups unterstützt keine neuen Usenet-Beiträge oder ‑Abos mehr. Bisherige Inhalte sind weiterhin sichtbar.

0shares.net

21 Aufrufe
Direkt zur ersten ungelesenen Nachricht

scotteh

ungelesen,
07.12.2007, 13:13:2207.12.07
an
Hi all

Anyone seen/heard anything about 0shares.net? Someone in the office
obviously ran this virus and it got past SAV. Now every email she
sends out (with eudora) has something like this on the bottom:


<br>----------------------------------------------------------------
<br>
Take a look at yourself in my short video since our last meeting<br>
<a href=http://0shares.net/flash/movie/getflash.php?id=cat>http://
0shares.net/flash/movie/getflash.php?id=cat</a><br>


OR

----------------------------------------------
Woohoo! Take a look at this!
http://0shares.net/flash/movie/cat.exe

It is not even visible in the original email in the Out Mailbox. I did
a system scan with Symantic and found nothing. It's not in a signature
file, and I couldnt find anything strange starting up in the normal
RUN keys in the registry. Im sure it's in there somewhere but I dont
even know what to search for. I tried 0shares and got nothing except
some history URLs (where it obviously came from).

Google and Yahoo and Symantec searches return absolutely nothing.
Could this be brand new?

Any ideas? Even obvious ones. I havent had to track down a virus in a
couple of years and I dont even know where to start now.

This is Win98 (yup), ie6, eudora is current, and the virus def file
for SAV is current.

Thanks

Scott


jen

ungelesen,
07.12.2007, 14:36:2707.12.07
an
"scotteh" <sco...@gmail.com> wrote in message
news:e5674b29-86ec-431d...@f3g2000hsg.googlegroups.com...

See here:
http://www.robtex.com/dns/0shares.net.html
http://www.robtex.com/whois/0shares.net.html

Smells like variant of Storm to me... Hopefully, Ant will come along
to enlighten us :)

-jen


Ant

ungelesen,
07.12.2007, 17:54:0107.12.07
an
"jen" wrote:

> "scotteh" wrote:
>> hxxp://0shares.net/flash/movie/cat.exe

> Smells like variant of Storm to me... Hopefully, Ant will come along
> to enlighten us :)

I'd like to but the domain won't resolve right now. It has only
recently been registered (4 dec) to a chinaman through rustelekom.
That smells bad. Rustelekom is connected to the RBN (Russia Business
Network), known cyber criminals.


in...@rustelekom.biz

ungelesen,
08.12.2007, 13:25:4508.12.07
an
Hi all,

Please be a little more safe with your's explanation. We are not
"connected to RBN" . We are "connected" to Russia. Our customer base
mainly is Russian's and that is not strange because we are russian
too. If you guy have any evidence about some of our customers and
think that they "connected to RBN" please do not hesitate contact to
us and we will investigate issue. We absolutely not like when someone
just call - "all russian's is bad", "all russian's is crime" and so on
so on include our own trademark name . You guy's should be understand
that in real life it will be a reason for begin legal action against
you. Nothing personal, just because say something in public place
please double check you sentence before post it.
We are cooperate successfully with all organizations and persons who
are really interested in preventing cyber crime and wouldn't like just
isolate all Russia and russian's from the internet. Organization and
person who touch to us and get enough explanation from us knew that.
If you don't know how we work and how we deal with complains please
close your mouth and try touch us before make liar post somewhere.

sorry for may bad english but i sure i was clear enough with my
explanation for anyone who would like fully understand situation and
who is talk about something not with closed eyes .
Please do not hesitate contact us if you any question.

Best Regards
Dmtry Ivanov

Ant

ungelesen,
08.12.2007, 17:01:2508.12.07
an
<in...@rustelekom.biz> (Dmtry Ivanov) wrote:

> Please be a little more safe with your's explanation. We are not
> "connected to RBN". We are "connected" to Russia. Our customer base
> mainly is Russian's and that is not strange because we are russian
> too.

I'm sorry, that was very careless of me. When I saw rustelekom.biz
as the registration service provider for 0shares.net I associated it
with rustelecom; that is rustelecom.net who do appear to be linked in
some way to the RBN. I have no reason to suspect rustelekom.biz is
connected to the RBN.

> We absolutely not like when someone
> just call - "all russian's is bad", "all russian's is crime" and so on

I would never do that. Some of my best software is Russian.

Once again, I apologise for the mistake.


Some Guy

ungelesen,
08.12.2007, 17:51:2508.12.07
an
in...@rustelekom.biz wrote:

> We are not "connected to RBN" . We are "connected" to Russia.

Which makes you criminals. If not now, then at some point in the near
future.

After all, you pretty much universally elected Master Criminal and
Thug Putin as emperor for another term.

in...@rustelekom.biz

ungelesen,
08.12.2007, 20:46:0208.12.07
an
On Dec 9, 1:01 am, "Ant" <n...@home.today> wrote:

> <i...@rustelekom.biz> (Dmtry Ivanov) wrote:
> > Please be a little more safe with your's explanation. We are not
> > "connected to RBN". We are "connected" to Russia. Our customer base
> > mainly is Russian's and that is not strange because we are russian
> > too.
>
> I'm sorry, that was very careless of me. When I sawrustelekom.biz
> as the registration service provider for 0shares.net I associated it
> with rustelecom; that is rustelecom.net who do appear to be linked in
> some way to the RBN. I have no reason to suspectrustelekom.biz is

> connected to the RBN.
>
> > We absolutely not like when someone
> > just call - "all russian's is bad", "all russian's is crime" and so on
>
> I would never do that. Some of my best software is Russian.
>
> Once again, I apologise for the mistake.

Hi,

It's ok. No problem. We all may have mistake. I know about what you
talk. Rustelecom is small ISP who provide internet access for small
city in Moscow province. About week or two ago, i've just seem their
name under one of the SBL listing where they was listed as "fake"
provider. It's another mistake. But origin of mistake is Spamhouse,
because all russian ISP (BTW all russian host-provider too) is state
licensed and checked. So, there is not reason call them as "fake"
provider. May be their ip's been used for sending SPAM or anything
else but it is the same issue like a SPAM was sent by using MCI,
Comcast. Korea or Japan ISP and should be managed by standard way
without threatment of country or nationality. If we all will go by
another way, then we will get at least new Cold War if not How War. If
we do business in US we should follow US law, if we do business in
Russia we should follow Russian legislation. If we use the internet
then we should follow nettetique.

Best Regards
Dmitry


Some Guy

ungelesen,
08.12.2007, 21:27:4308.12.07
an
in...@rustelekom.biz wrote:

> But origin of mistake is Spamhouse,

The only mistake is connecting Russia to the Internet.

Thanks for all the internet viruses, malware, fraud and crime you give
to the rest of the world.

> because all russian ISP (BTW all russian host-provider too) is
> state licensed and checked.

I suppose Putin himself gives his rubber stamp.

> May be their ip's been used for sending SPAM or anything
> else but it is the same issue like a SPAM was sent by
> using MCI, Comcast.

And where does the spam software, the botnet software come from?

From Russia. Russia is run by criminals.

> if we do business in Russia we should follow Russian
> legislation.

You mean if you do business in Russia, you follow the Russian Mafia.

Ant

ungelesen,
09.12.2007, 12:19:2509.12.07
an
"Some Guy" wrote:

> in...@rustelekom.biz wrote:
>> We are not "connected to RBN" . We are "connected" to Russia.
>
> Which makes you criminals.

WTF? who rattled your cage? I make a serious and unfounded accusation
against a Russian ISP and you attack their administrator when he,
quite rightly, complains and corrects me. And I'm grateful for that
because I don't like giving false information.

The Russian people have plenty of problems in transforming the old
soviet state to a modern capitalist ecomomy that most of the world
enjoys (or hates). The fact that criminality can flourish under such
an upheaval and learning process doesn't make them all bad.


Ant

ungelesen,
09.12.2007, 12:18:1309.12.07
an
<in...@rustelekom.biz> wrote:

> On Dec 9, 1:01 am, "Ant" wrote:
>> Once again, I apologise for the mistake.

> It's ok. No problem. We all may have mistake. I know about what you


> talk. Rustelecom is small ISP who provide internet access for small
> city in Moscow province. About week or two ago, i've just seem their
> name under one of the SBL listing where they was listed as "fake"
> provider. It's another mistake. But origin of mistake is Spamhouse,
> because all russian ISP (BTW all russian host-provider too) is state
> licensed and checked. So, there is not reason call them as "fake"
> provider.

That's interesting. I don't know how Spamhaus obtained their
information about that, but they are a respected anti-spam
organisation and I would hope they check their facts before making
such pronoucements. Otherwise, they will lose respect.

David Bizeul has published a study of the RBN in this PDF document:
http://bizeul.org/files/RBN_study.pdf
which is where I found mention of Rustelecom (AS41181). It's not clear
what involvement they may have, if any, and it's possible the author
may only have a suspicion. The core RBN operation is/was based in St.
Petersburgh, not Moscow.

> May be their ip's been used for sending SPAM or anything
> else but it is the same issue like a SPAM was sent by using MCI,
> Comcast. Korea or Japan ISP and should be managed by standard way
> without threatment of country or nationality.

All countries have ISPs that are poor at managing their spam problems
including mine (UK). When they are bad enough, their IP ranges get
black-listed by Spamhaus and others. I'm inclined to believe Spamhaus
operates a fair and equal process for all.

> If we all will go by
> another way, then we will get at least new Cold War if not How War.

No one wants a return to that.

> If
> we do business in US we should follow US law, if we do business in
> Russia we should follow Russian legislation. If we use the internet
> then we should follow nettetique.

I agree. There is no international law governing the Internet.
Sometimes that's good and sometimes not. I'm against too much
regulation.


Some Guy

ungelesen,
09.12.2007, 16:59:0909.12.07
an
Ant wrote:

> WTF? who rattled your cage?

Take it easy.

If my posts rattle the cage of the Russian internet criminal Dmtry
Ivanov then let him respond.

Let him argue how Russia has been a good internet citizen and how
Russia has done many good things for the internet world.

Rhonda Lea Kirk

ungelesen,
09.12.2007, 18:40:4209.12.07
an
Some Guy wrote:
> Ant wrote:
>
>> WTF? who rattled your cage?
>
> Take it easy.

I hope you're talking to yourself, Mr. Full-Frontal Assault on Someone
Who Never Did Anything Wrong to You.

> If my posts rattle the cage of the Russian internet criminal Dmtry
> Ivanov then let him respond.

Would you respond to someone who came out the blue and called you a
criminal?

> Let him argue how Russia has been a good internet citizen and how
> Russia has done many good things for the internet world.

Individuals are good (or bad) internet citizens, not countries.

--
Rhonda Lea Kirk
ni...@databasix.com

Some are tempted to think of life in cyberspace as insignificant,
as escape or meaningless diversion. It is not. Our experiences there
are serious play. We belittle them at our risk. Sherry Turkle


scotteh

ungelesen,
10.12.2007, 13:27:0410.12.07
an
Oooooooooooooooooooooookay!

Sorry I asked!

I couldn't find any way to get rid of it, so I installed a new HD, put
XP on it, copied over her data.

Problem solved. Until she does it again. :/

Thanks for all the responses!

Scott

Ant

ungelesen,
10.12.2007, 17:54:3010.12.07
an
"scotteh" wrote:

> Oooooooooooooooooooooookay!
>
> Sorry I asked!

Not at all. I enjoyed the discussion.

> I couldn't find any way to get rid of it,

Problem being, nobody knew what 'it' was. I couldn't get to the site
and you never gave any AV scan result.

> so I installed a new HD, put
> XP on it, copied over her data.

Safest way to deal with it.

> Problem solved. Until she does it again. :/

Better lock down your OS tighter so these nasties can't get installed
in the first place. At least you can do that with XP, whereas W9x is
completely open.


scotteh

ungelesen,
10.12.2007, 20:13:2010.12.07
an
Well, the result of all scans was NOTHING! "System clean!" was
basically all I got, toher than a few minor things that were
unrelated.

Yeah, thats a good idea. I usually give people access, but in this
case I think I will revoke that. This is at least the second time this
person has had a virus.

Thanks!

Scott


Some Guy

ungelesen,
10.12.2007, 21:25:1210.12.07
an
Ant wrote:

> Better lock down your OS tighter so these nasties can't get
> installed in the first place. At least you can do that with XP,
> whereas W9x is completely open.

You are joking.

Win-XP was the most vulnerable OS ever made by MS, second only to 2K.

Win-98 was more bullet-proof (if only by chance or lack of
sophistication). Name a network work that 9x was vulnerable to.

The only real vulnerabilities win-9x has is because of IE (while 2K
and XP had many other vulnerabilities that took 6 years to get fully
patched). And many IE vulerabilities didn't apply to 9x at all.

If you run spybot and spyware blaster against IE (innoculation) that
will lock it down pretty good.

Some Guy

ungelesen,
10.12.2007, 21:48:2610.12.07
an
Ant wrote:

> Better lock down your OS tighter so these nasties can't get
> installed in the first place. At least you can do that with XP,
> whereas W9x is completely open.

You are joking.

Win-XP was the most vulnerable OS ever made by MS, second only to 2K.

Win-98 was more bullet-proof (if only by chance or lack of

sophistication). Name a network work (correction - worm) that 9x
was vulnerable to.

Gabriele Neukam

ungelesen,
11.12.2007, 12:29:1011.12.07
an
On this special day, Ant wrote:

> Better lock down your OS tighter so these nasties can't get installed
> in the first place. At least you can do that with XP, whereas W9x is
> completely open.

that depends. At least the old 9x Oses didn't have services which would
listen to everything that came from the outside, except for the NetBIOS
protocol, and the file and printer sharing (which were abused by older
worms). The lsass distaster was specific to the Win2K and Xp Oses.

But even if you turn *Windows* Messenger off, one can end up with a
smitfraud screen as my sister did (boy was that a job to remove this
nasty blackmail program).

Her messenger was inactive, but she reported that she had constantly to
click away pop ups that told her something about trojans in her system
(she doesn't even speak english). She swore that she always hit close,
but still this thing was there, and she couldn't explain, why.

Finally I check her startup entries to find out how it got in.

Among other things, there was a Google Tollbar. This toolbar has a
messenger included. As she doesn't know how what a toolbar is, she
never bothered to tell me about it or configure it.

I used msconfig and turned it off. After all, which german needs a
Google Toolbar?


Gabriele Neukam

Gabriele.Spam...@t-online.de

--
> Is there such a thing as a Honeymoon period in a new newsgroup?
(Roger Hunt in uk.comp.vintage)
In a want it now instantly straight away world - no :-)
(Krustov in ucv)


scotteh

ungelesen,
11.12.2007, 17:19:3211.12.07
an
Bad news, everyone.... someone else just got it. This is someone
fairly knowledgable and wouldn't generally click a link haphazardly
like that. This time it's an XP machine so hopefully I'll have more
options and tools to find/fix it... but Im not looking forward to
this.

Scott

Ant

ungelesen,
11.12.2007, 19:21:4011.12.07
an
"Gabriele Neukam" wrote:

> On this special day, Ant wrote:
>> Better lock down your OS tighter so these nasties can't get installed
>> in the first place. At least you can do that with XP, whereas W9x is
>> completely open.
>
> that depends. At least the old 9x Oses didn't have services which would
> listen to everything that came from the outside,

That's a bad default configuration. Those services should be turned
off or firewalled.

The point is that NT based systems have security policies and
different levels of access rights. If you surf the net with admin
rights you're asking for trouble. W9x has no concept of this, so once
something gets in there's no safety net. At least with a properly
configured NT box you can limit the damage.

XP as shipped for the general public to use as an Internet terminal
isn't safe for that purpose. Of course, an average user doesn't know
any better. I believe MS are trying to do a better job with Vista but
users will still run with inappropriate rights and disregard warning
dialogs anyway.

> Among other things, there was a Google Tollbar. This toolbar has a
> messenger included. As she doesn't know how what a toolbar is, she
> never bothered to tell me about it or configure it.

Why did she install it in the first place?

> I used msconfig and turned it off. After all, which german needs a
> Google Toolbar?

Why does anyone need one, and why not germans in particular?


Some Guy

ungelesen,
11.12.2007, 21:22:0511.12.07
an
Ant wrote:

> XP as shipped for the general public to use as an Internet
> terminal isn't safe for that purpose.

Microsoft could have gotten it right.

They created XP-home and XP-pro.

They could have had different configuration for XP-home. But they
didn't. Because it was easier for them for support reasons to leave
all versions of XP fully open and all services running, all
administrative shares turned on, all netbios ports ready to be
hijacked.

So Microsoft created most of the malware/botnet/spam/identity-theft
situation we have today by forcing the incredibly vulnerable XP
operating system into homes and small businesses starting in 2002.

People would have been better off to stick with windows-98 until the
summer of 2004 when XP-sp2 came out. But most of them didn't have a
choice, and the "experts" (and journalists) were telling them to fall
over the cliff like lemmings and get XP.

Gabriele Neukam

ungelesen,
12.12.2007, 10:48:2212.12.07
an
On this special day, Ant wrote:

>> Among other things, there was a Google Tollbar. This toolbar has a
>> messenger included. As she doesn't know how what a toolbar is, she
>> never bothered to tell me about it or configure it.
>
> Why did she install it in the first place?

I don't know, she couldn't explain it to me. She had a lot of programs
on her machine, and one might have brought it in as an "extra service"

No it wasn't daemon tools. She doesn't even know what a virtual drive
is. But other "freebies" do the same, and if you are offered "something
good thrown in", and the "install" button is already active, why would
you de-tick it? If you don't know about the consequences, that is...


Gabriele Neukam

Gabriele.Spam...@t-online.de

--
No I am not a troll. Just a beginner and lazy!!!!!!!!!!!
(leepeach in alt.comp.virus, asked why (s)he was repeatedly asking the
same question)


Ant

ungelesen,
12.12.2007, 19:10:3212.12.07
an
"Gabriele Neukam" wrote:

> But other "freebies" do the same, and if you are offered "something
> good thrown in", and the "install" button is already active, why would
> you de-tick it?

Well, speaking for myself, I wouldn't install dubious freebies let
alone optional extras for which I had no need.

> If you don't know about the consequences, that is...

I hope your sister has learned a lesson.


0 neue Nachrichten