I went to a website, Accuweather.com to check the weather and THIS site
popped up! It is a Trojan and it wanted me to download / install it's CRAP
file!
I am hoping someone can tell me where I can HELP people out, to prevent this
CRAP from spreading. I am looking to have some security experts (as I am NOT
qualified) determine that this site should be blocked on a Blacklist to
prevent it's Trojan from spreading.
Is there a website(s) that I can submit this link below that I "THINK" /
feel / know is a malicious site and I want to "share" that with other to have
people BLOCK it for their AntiVirus system, say for Security Essentials, AVG,
McAfee, TrendMicro, Norton, etc.
Thank you.
Matt
THIS IS A TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!
http://servscanner03.com/2/?sess=%3DGQ21jTwOS0zJmlwPTk4LjIxNi4xMTYuMTMwJnRpbWU9MTI1NTkwOY0MaQ%3DM
regards, Richard
"Matt Carter" <MLCart...@yahoo.com.(doNOTspam)> wrote in message
news:034252FE-C1D0-4E33...@microsoft.com...
| That's very clever, ....including the URL to what you suspect is malware !
Richard, what you did wasn't too good as yous quoted the post with a possibly malicious
URL and FAILED to obfuscate said URL !
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
| Thank you.
| Matt
| h**p://servscanner03.com/2/?sess=%
| 3DGQ21jTwOS0zJmlwPTk4LjIxNi4xMTYuMTMwJnRpbWU9MTI1NTkwOY0MaQ%3DM
In the future plase do NOT post possibly malicious URLs without first obfucating the URL
as I have doen in my reply by changing http to h**p. Thus the URL is no longer
"clickable".
The URL has been reported.
Not that it will do much good. The rogue malware URLs now have very short lifespans.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"RJK" <nos...@hotmail.com> wrote in message
news:OTeQx7ad...@TK2MSFTNGP06.phx.gbl...
* + 78.47.230.38 servscanner03.com
|___ 21 File Transfer Protocol [Control]
|___ 220 FTP Server ready...
|___ 22 SSH Remote Login Protocol
|___ SSH-2.0-OpenSSH_5.2..
|___ 80 World Wide Web HTTP
|___ HTTP/1.1 403 Forbidden..Date: Sun, 06 Dec 2009 07:50:33 GMT..Server:
Apache..Connection: close..Content-Type: text/html; charse
|___ 111 SUN Remote Procedure Call
"Matt Carter" <MLCart...@yahoo.com.(doNOTspam)> wrote in message
news:034252FE-C1D0-4E33...@microsoft.com...
> THIS IS A TROJAN!! PLEASE DO NOT OPEN / SELECT THIS FILE! PLEASE!
> hxxp://servscanner03.com/ (...)
VT scan of file Antivir-93cf_2005-3.exe:
Only 1 hit out of 41:
Prevx 3.0 2009.12.06 Medium Risk Malware Dropper
Prevx information about this file:
File Behavior
ANTIVIR-8023_2018-1[1].EXE has been seen to perform the following
behavior:
* Executes a Process
* Installs a browser helper object (BHO)
* Registers a Dynamic Link Library File
* Creates new folders on the system
* This Process Deletes Other Processes From Disk
* Copies files
* Enables an In Process Object/Server - Common with DLL Injections
* Creates a new Background Service on the machine
* Injects code into other processes
* This process creates other processes on disk
ANTIVIR-8023_2018-1[1].EXE has been the subject of the following
behavior:
* Executed as a Process
* Deleted as a process from disk
Country Of Origin
The filename ANTIVIR-8023_2018-1[1].EXE was first seen on Dec 6 2009 in
the following geographical region of the Prevx community:
* GREAT BRITAIN on Dec 6 2009
File Name Aliases
ANTIVIR-8023_2018-1[1].EXE can also use the following file names:
* 21682525.EXE
* DPLUMWYLUB-753.PMS.EXE
* TMP.0QX6X7
Filesizes
This file has been seen with the following file size:
* 163,840 bytes
Hey Matt - Virus Guy's post also demonstrates a good way to make the
anti-malware community aware of a new incarnation of malware. If you are
careful enough with the handling of malware (as Virus Guy apparently is)
you can capture the actual malware executable file and submit it to
scanning at Virustotal.com (VT) and from there many vendors will be made
aware of this new threat.
Targeting the website as you suggest is not a bad idea, but as David
Lipman suggests is a little like swatting flies
> VT scan of file Antivir-93cf_2005-3.exe:
>
> http://tinyurl.com/y93br4b
>
> Only 1 hit out of 41:
Nice catch! Are you using "view-source" on 98? I miss that scheme on XP.
> > VT scan of file Antivir-93cf_2005-3.exe:
> >
> > http://tinyurl.com/y93br4b
> >
> > Only 1 hit out of 41:
I'm noticing that my tinyurl link isin't working.
I re-submitted the file to VT (and VT didn't indicate that it had
already seen it before ?).
VT is now reporting 4 hits:
a-squared Trojan-Downloader.Win32.FraudLoad!IK
Ikarus Trojan-Downloader.Win32.FraudLoad
Kaspersky Trojan-Downloader.Win32.FraudLoad.wwvb
Prevx Medium Risk Malware Dropper
This VT link works:
> Nice catch! Are you using "view-source" on 98? I miss that
> scheme on XP.
Actually, I just cut and pasted the URL into firefox and sat back and
watched the fireworks. When-ever that doesn't work, I'll try wget.
With these fake-AV scans I will usually, eventually get a firefox popup
asking what I want to do with the .exe file that's being pushed at me.
I save it to my /virus/ folder and as soon as it's downloaded, I fire it
off to VT. If it's a compressed file (at least, compressed using .zip
or something that winrar can unpack) then I'll decompress it first
before submission.
Ooops ! ...quite right ! ...
regards, Richard
...age doesn't come on its' own !
...the obvious is sometimes overlooked,
...and I, recently, seem to be doing a lot of "overlooking." !!!