Commands: ::List Messages::Post Message::Next Message::Previous Message::Reply to Message::
| Msg.ID: 26732 From: Res Judicata About: Re: OT: Virus Alert ATTN Alexio At: 2004-07-14 20:41:38 |
| HEY CBS nice research man.
Res Judicata >From a message by Cbs228 about OT: Virus Alert ATTN Alexio: > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexio [6:41 PM]: funny Santa :) (use arrows to move) http://www.salsa-lol.com/flash/03-sobersanta.exe I believe that a virus has taken over Alexio's machine in an attempt to spread itself. I have been attempting to dig up information on the above host. Here is what I have found: 1. There appears to be nothing on the server besides the above executable. There is just a dummy page in the web root, and the sobersanta.exe file is the only thing in the /flash directory. 2. The DNS name is in the Network Solutions' WHOIS database (www.internic.net) as being registered by the enom.com registar. According to whois.enom.com, the name was registered on 07 Jul 2004 13:36:18-- just a few days ago. The phone number given on the registration is unlisted and the name was registered with a yahoo.com email address. 3. The domain name contained in the SOA record (e.g. provides DNS servers for) for salsa-lol.com is SERVER296.COM. The name is in the Network Solutions' WHOIS database, but it was registered only a month ago (22-Jun-2004). Furthermore, the registrant data appears to be a faker: The name is registered to a "Dimitrov, Dimiter (EJRBHLEYXI)" (hmm, what's with the letters...) in country code BG (Bulgaria), but the email address referenced belongs to a webhosting company in Hong Kong, while the servers for salsa-lol.com and SERVER296.COM are in the United States. SERVER296.COM does not appear to be a legitimate webhosting company. 4. Alexio did not respond when I asked him about the message immediately after I received it. 5. I can't locate a file by that name anywhere else on a google-indexed page. The server is not linked to anywhere on a google page, nor does it show up in searches. I am unable to run a pc virus scanner on this file, but the above seems to me to be quite suspicious-- it looks like a setup for spreading viruses. Alex, did you send this message? Colin Stagner The Fugitives From Fate Permacorp! http://cbs228.home.mindspring.com/Fugitives/ chown -R :us ~you/base/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFA9dDkyNXfO5OesjARAkHHAJ9Qc9MO99Q8OQ3JFOQI+z+MuiYZXQCfY84K 1B4vN/WOl2QRNCiifu1Fa9c =JU35 -----END PGP SIGNATURE----- |
Programs:
::News
::Messages
::Preferences
::Files
::
Commands: ::List Messages::Post Message::Next Message::Previous Message::Reply to Message::
Commands: ::List Messages::Post Message::Next Message::Previous Message::Reply to Message::