|
Posted by barrwillams_bnk@yahoo.com on November 10, 2007, 11:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I got one of those storm invitation e-mails yesterday (Halloween
> theme, subject = "FW: To much fun").
>
> The link is:
>
> hxxp://69.144.141.75/
Subject: Dancing Bones
Date: Thu, 8 Nov 2007 18:11:28 +0100
I know I know, you hate this stuff, but this was way to funny. Show it
to the kids. hxxp://201.239.219.197/
> It tries to do some cross-site scripting, as well as run an active-x
> control. This results in 2 temp files in my IE cache.
> I sent those 2 files (one is 6.6 kb, the other 33.9 kb) to Virus
> Total, and only 1 application flagged them - Webwasher-Gateway -
> identified as JavaScript.CodeUnfolding.gen!High (suspicious).
>
> The user-clickable payload in this case was dancer.exe (about 125 kb)
> and it was identified by 19 out of 32 apps on VT (59% detection
> rate). Most/all of the first-tier AV apps flagged it (but then again
> this is probably after a good 24 hours of exposure).
>
> What is probably not widely known is that all AV apps seem to not care
> about the self-unpacking javascript files that come as part of the
> experience. Why aren't they looking for those?
>
> This makes Webwasher-Gateway look good.
I use Linux machine so do not know what do "Dancing Bones". I only found a
link to hxxp://201.239.219.197/dancer.exe (dancer.exe - infected by
Email-Worm.Win32.Zhelatin.ml says on-line Kaspersky (send a file option))
The most scary thing is this page is still alive today and virus is still
there. Where pages with viruses should be reported?
--
barrwillams_bnk@yahoo.com is spammer
barrwillams_bnk(at)yahoo(dot)com is spammer
| 
XML site map