Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How / where do I report a malicous site that has a trojan?

1 view
Skip to first unread message

Matt Carter

unread,
Dec 5, 2009, 6:05:02 AM12/5/09
to
I am on Windows 7 Pro x64 IE 8 and I have Microsoft Security Essentials
Microsoft Security Essentials Version: 1.0.1611.0
Antimalware Client Version: 2.0.6212.0
Engine Version: 1.1.5302.0
Antivirus definitions: 1.71.527.0
Antispyware definitions: 1.71.527.0

I went to a website, Accuweather.com to check the weather and THIS site
popped up! It is a Trojan and it wanted me to download / install it's CRAP
file!

I am hoping someone can tell me where I can HELP people out, to prevent this
CRAP from spreading. I am looking to have some security experts (as I am NOT
qualified) determine that this site should be blocked on a Blacklist to
prevent it's Trojan from spreading.
Is there a website(s) that I can submit this link below that I "THINK" /
feel / know is a malicious site and I want to "share" that with other to have
people BLOCK it for their AntiVirus system, say for Security Essentials, AVG,
McAfee, TrendMicro, Norton, etc.

Thank you.

Matt


THIS IS A TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!
http://servscanner03.com/2/?sess=%3DGQ21jTwOS0zJmlwPTk4LjIxNi4xMTYuMTMwJnRpbWU9MTI1NTkwOY0MaQ%3DM

RJK

unread,
Dec 5, 2009, 8:29:10 AM12/5/09
to
That's very clever, ....including the URL to what you suspect is malware !

regards, Richard


"Matt Carter" <MLCart...@yahoo.com.(doNOTspam)> wrote in message
news:034252FE-C1D0-4E33...@microsoft.com...

David H. Lipman

unread,
Dec 5, 2009, 8:47:22 AM12/5/09
to
From: "RJK" <nos...@hotmail.com>

| That's very clever, ....including the URL to what you suspect is malware !

Richard, what you did wasn't too good as yous quoted the post with a possibly malicious
URL and FAILED to obfuscate said URL !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


David H. Lipman

unread,
Dec 5, 2009, 8:54:08 AM12/5/09
to
From: "Matt Carter" <MLCart...@yahoo.com.(doNOTspam)>

| Thank you.

| Matt

| h**p://servscanner03.com/2/?sess=%
| 3DGQ21jTwOS0zJmlwPTk4LjIxNi4xMTYuMTMwJnRpbWU9MTI1NTkwOY0MaQ%3DM

In the future plase do NOT post possibly malicious URLs without first obfucating the URL
as I have doen in my reply by changing http to h**p. Thus the URL is no longer
"clickable".

The URL has been reported.
Not that it will do much good. The rogue malware URLs now have very short lifespans.

The Real Truth MVP

unread,
Dec 5, 2009, 8:07:07 PM12/5/09
to
You mean you read his whole post but missed the part about "THIS IS A
TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!" or are saying
that idiots will skip reading his post and go straight to the url and click
on it.

--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.


"RJK" <nos...@hotmail.com> wrote in message
news:OTeQx7ad...@TK2MSFTNGP06.phx.gbl...

Hot-text

unread,
Dec 6, 2009, 2:55:41 AM12/6/09
to
A PING

* + 78.47.230.38 servscanner03.com
|___ 21 File Transfer Protocol [Control]
|___ 220 FTP Server ready...
|___ 22 SSH Remote Login Protocol
|___ SSH-2.0-OpenSSH_5.2..
|___ 80 World Wide Web HTTP
|___ HTTP/1.1 403 Forbidden..Date: Sun, 06 Dec 2009 07:50:33 GMT..Server:
Apache..Connection: close..Content-Type: text/html; charse
|___ 111 SUN Remote Procedure Call


"Matt Carter" <MLCart...@yahoo.com.(doNOTspam)> wrote in message
news:034252FE-C1D0-4E33...@microsoft.com...

Virus Guy

unread,
Dec 6, 2009, 9:40:42 AM12/6/09
to
Matt Carter wrote:

> THIS IS A TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!

> hxxp://servscanner03.com/ (...)

VT scan of file Antivir-93cf_2005-3.exe:

http://tinyurl.com/y93br4b

Only 1 hit out of 41:

Prevx 3.0 2009.12.06 Medium Risk Malware Dropper

Prevx information about this file:

http://tinyurl.com/y9d6e5z

File Behavior

ANTIVIR-8023_2018-1[1].EXE has been seen to perform the following
behavior:

* Executes a Process
* Installs a browser helper object (BHO)
* Registers a Dynamic Link Library File
* Creates new folders on the system
* This Process Deletes Other Processes From Disk
* Copies files
* Enables an In Process Object/Server - Common with DLL Injections
* Creates a new Background Service on the machine
* Injects code into other processes
* This process creates other processes on disk

ANTIVIR-8023_2018-1[1].EXE has been the subject of the following
behavior:

* Executed as a Process
* Deleted as a process from disk

Country Of Origin

The filename ANTIVIR-8023_2018-1[1].EXE was first seen on Dec 6 2009 in
the following geographical region of the Prevx community:

* GREAT BRITAIN on Dec 6 2009

File Name Aliases

ANTIVIR-8023_2018-1[1].EXE can also use the following file names:

* 21682525.EXE
* DPLUMWYLUB-753.PMS.EXE
* TMP.0QX6X7

Filesizes

This file has been seen with the following file size:

* 163,840 bytes

@nomail.afraid.org FromTheRafters

unread,
Dec 6, 2009, 3:25:00 PM12/6/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4B1BC26A...@Guy.com...

> Matt Carter wrote:
>
>> THIS IS A TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!
>
>> hxxp://servscanner03.com/ (...)

Hey Matt - Virus Guy's post also demonstrates a good way to make the
anti-malware community aware of a new incarnation of malware. If you are
careful enough with the handling of malware (as Virus Guy apparently is)
you can capture the actual malware executable file and submit it to
scanning at Virustotal.com (VT) and from there many vendors will be made
aware of this new threat.

Targeting the website as you suggest is not a bad idea, but as David
Lipman suggests is a little like swatting flies

> VT scan of file Antivir-93cf_2005-3.exe:
>
> http://tinyurl.com/y93br4b
>
> Only 1 hit out of 41:

Nice catch! Are you using "view-source" on 98? I miss that scheme on XP.

Virus Guy

unread,
Dec 6, 2009, 9:30:23 PM12/6/09
to
FromTheRafters wrote:

> > VT scan of file Antivir-93cf_2005-3.exe:
> >
> > http://tinyurl.com/y93br4b
> >
> > Only 1 hit out of 41:

I'm noticing that my tinyurl link isin't working.

I re-submitted the file to VT (and VT didn't indicate that it had
already seen it before ?).

VT is now reporting 4 hits:

a-squared Trojan-Downloader.Win32.FraudLoad!IK
Ikarus Trojan-Downloader.Win32.FraudLoad
Kaspersky Trojan-Downloader.Win32.FraudLoad.wwvb
Prevx Medium Risk Malware Dropper

This VT link works:

http://tinyurl.com/yhuh9ny

> Nice catch! Are you using "view-source" on 98? I miss that
> scheme on XP.

Actually, I just cut and pasted the URL into firefox and sat back and
watched the fireworks. When-ever that doesn't work, I'll try wget.

With these fake-AV scans I will usually, eventually get a firefox popup
asking what I want to do with the .exe file that's being pushed at me.
I save it to my /virus/ folder and as soon as it's downloaded, I fire it
off to VT. If it's a compressed file (at least, compressed using .zip
or something that winrar can unpack) then I'll decompress it first
before submission.

RJK

unread,
Dec 7, 2009, 1:04:03 AM12/7/09
to

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uIgZ6Fbd...@TK2MSFTNGP06.phx.gbl...

Ooops ! ...quite right ! ...

regards, Richard

...age doesn't come on its' own !
...the obvious is sometimes overlooked,
...and I, recently, seem to be doing a lot of "overlooking." !!!


0 new messages