lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: mjcarter at ihug.co.nz (Mike)
Subject: Fake Virus Warnings From ISPs

Hi All,

Warning be careful with the links in this email.

Posted in the SANS diary by Johannes Ullrich:

A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.

[snip]

This appears to be bigger than Yahoo being faked. I recently received this
faked email:

Virus Alert
To:mjcarter
From: ihug.co.nz's Internet Virus Department

We have detected a possible computer virus on your computer, You must open
the details of the report within 24 hours our we will be forced to shut down
your internet service.

Please Click Below Then Press "open" To View The Report If you do not open
this report in 24 hours we will suspend your internet service If nothing
apears on your virus report please dis-regard this message
Click Here Now
<http://ihug.co.nz%01@...j6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/>

Clicking on the link takes me to
http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ which redirects to
http://66.98.208.24/cgi-bin/page.cgi and attempts to download page.hta which
McAfee detects as VBS/Inor.

I've contacted my ISP and forwarded to them, I  wonder how many other ISPs
are about to be flooded with calls.

Note the URL is changing, it was originally
http://66.98.208.24/cgi-bin/page.cgi which was shut down.

But is now residing at http://210.51.184.247/cgi-bin/page.cgi

inetnum:      210.51.0.0 - 210.51.255.255
netname:      CNCNET
descr:        China Netcom Corp.
descr:        New Telecommunication Carrier Based on IP Backbone
country:      CN
admin-c:      JM284-AP
tech-c:       JM284-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CN-ZM28
changed:      hostmaster@...ic.net 20001011
changed:      hm-changed@...ic.net 20020703
changed:      hm-changed@...ic.net 20030212
status:       ALLOCATED PORTABLE
source:       APNIC


Regards
Mike

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ