Virus laden site

[pp hammer]

This site links to http://www.drinkaware.co.uk/

The latter seems to redirect to www.sp2fucked.biz which is laden with
viruses.

drinkaware goes to drinkaware no redirect.. and drinking could be causing me
problems they say

Welcome to Sp2Fucked Toolbar Cash Program .. its all feckin russian and
doesnt do anything naughty with firefox, cant see any exploits in page
source (which might have triggered nod32 ), but one things for sure i aint
visiting no sites with internet exploder to see what they do

 

[Tx2]

otherwise they will come off as just another hysterical
uninformed alarmist, as they have in this newsgroup

despite posting log entries to the contrary ...

 

[Tx2]

despite posting log entries to the contrary ...

I suspect the site is being used to highlight what the author(s)
consider shortcomings in SP2 .... the log file shows a variety of .htm
addresses which probably have different 'examples' of exploits.

That's my guess anyway.

 

[Bart Bailey]

despite posting log entries to the contrary ...

Those log entries showed nothing viral,
just html components of a web site.

OK,
you wannabe smart ass,
which virus has your panties in such a wad?
What's its name?
how do you know that?
You surely don't seem capable of hex-editing and reversing something to
determine viral activity, so which antivirus scanning application
indicated there was anything viral involved, and what was it called?

 

[Bart Bailey]

I suspect the site is being used to highlight what the author(s)
consider shortcomings in SP2 .... the log file shows a variety of .htm
addresses which probably have different 'examples' of exploits.

That's my guess anyway.

Exploits can be a nuisance if your browser is vulnerable to them, but to
make blatantly uninformed claims of viral activity when there is none,
just belies the fool doing the hollering.

 

[aD]

In Message-ID:<[email protected]> posted on
Sat, 13 Nov 2004 08:10:29 -0000, Tx2 wrote: Begin




Those log entries showed nothing viral,
just html components of a web site.

I don't usually indulge in these pointless activities but you need educating.

I'm sure Tx2 will agree with me on most or all of the answers to your
strange questions.

which virus has your panties in such a wad?
What's its name?

http://www.sp2fucked.biz/user1/new/GetAccess.class
Java/Exploit.Bytverify.F trojan connection terminated

Well let's see; my guess this one will be the "Java/Exploit.Byteverify.F"
trojan.

My NAV says:
GetAccess.class: Trojan.ByteVerify
====

http://www.sp2fucked.biz/user1/new/classload.jar
multiple infiltrations connection terminated

My NAV says:
Dummy.class: Trojan.ByteVerify
GetAccess.class: Trojan.ByteVerify
InsecureClassLoader.class: Trojan.ByteVerify
Installer.class: Trojan.ByteVerify

See:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
====

http://www.sp2fucked.biz/user1/****.htm
HTML/Exploit.ObjData trojan connection terminated

My NAV says:
****.htm: Trojan Horse (generic detection)
===

http://www.sp2fucked.biz/user1/exploit.htm
HTML/Exploit.Mht.A trojan connection terminated

My NAV says:
exploit.htm: Trojan Horse (generic detection)
===

http://213.159.117.133/dl/loaderadv10.jar
multiple infiltrations connection terminated

My NAV says:
Counter.class: Trojan.ByteVerify
Parser.class: Trojan.ByteVerify
===

how do you know that?

Uh, because my anti-virus program analysed the file content and matched it
against its detection rules? Funny that! Fancy an anti-virus program
telling you what virus a file had in it.

You surely don't seem capable of hex-editing

And that's got /what/ to do with determining if something has viral content?
Nothing. That's what anti-virus is for.

and reversing something

Why would you want to reverse engineer something just to see if it had
viral content? Wouldn't that be a tad of a waste of time unless you
suspected the file?

to determine viral activity,

Like I said, the anti-virus program already told us this
Seems silly to assume it's wrong and reverse engineer it just to find out
the anti-virus was right in the first place.

so which antivirus scanning application indicated there was anything
viral involved, and what was it called?

If you would take the time to read the original poster he made it
repeatedly quite clear "which antivirus scanning application" and "what it
was called". NOD32. I quote original poster:

"...resulted in my NOD32 springing into action"
"Whatever - NOD32 who i trust a damn site more..."
"A slice of the NOD32 log shown below..."

Hey people, wanna guess what anti-virus Tx2 is using?

Regards,


aD

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Sat,
13 Nov 2004 12:39:43 +0000, aD wrote: Begin


<snipped the load of bollocks>


OK,
Now I see,
You're making an equivalency between a virus and a trojan.
tsk...tsk...

 

[aD]

In Message-ID:<[email protected]> posted on Sat,
13 Nov 2004 12:39:43 +0000, aD wrote: Begin


<snipped the load of bollocks>


OK,
Now I see,
You're making an equivalency between a virus and a trojan.
tsk...tsk...

They are the same thing.
*I* consider a virus to be something that is an unsolicited
maliciously-created entity.

Spyware, viruses, trojans, worms, diallers.
I don't care if it only does one of the following:

"Phones home" with your IP address
Tracks your web usage
Serves you adverts
Deletes your files
Sends your files to other people
Spreads
Allows unauthorised access
Dials any number that you wouldn't want it to

They are all viruses. They are unsolicited maliciously-created entities.
They should all be treated very carefully and proactively screened against.

They're just given different names so that marketing/advertising droids can
hype them up.

I repeat: They're all viruses.

That's all I'm going to say on this topic


aD

 

[Bill]

They are the same thing.
*I* consider a virus to be something that is an unsolicited
maliciously-created entity.

Perhaps you do but Bart was referring to actual viruses, which I might
add that he is correct.

 

[Tx2]

Exploits can be a nuisance if your browser is vulnerable to them, but to
make blatantly uninformed claims of viral activity when there is none,
just belies the fool doing the hollering.

Why don't you just **** off criticising? The site has been cleaned up,
the correct site now shows, so there are no longer any 'threats'

I use NOD32, and NOD32 reported a lot of activity on that site when it
was both loaded in IE and Firefox at the time

I trust NOD32 a damn site more than i will ever trust you.

Now if you want to split hairs about what is a virus and what isn't do
it alone.

So far as i'm concerned, the site in question was a threat, i let folk
know, and now arseholes like you seem intent on arguing for arguments
sake!!

****wit

*plonk*

 

[Tx2]

Those log entries showed nothing viral,
just html components of a web site.

The NOD32 logs showed threat activities,; split hairs about what is and
what isn't a virus if you like, but do it alone

I raised the alarm over a site that alerted NOD32 into reacting, that's
good enough for me, and well above any judgement you might, or have been
able to offer.

The log files are there, read 'em, and make your own decision, but stop
criticising me for simply letting folk know!

I've already told you to **** off elsewhere, so follow my advice you
argumentative prick.

*plonk*

 

[Tx2]

In Message-ID:<[email protected]> posted on Sat,
13 Nov 2004 12:39:43 +0000, aD wrote: Begin


<snipped the load of bollocks>


OK,
Now I see,
You're making an equivalency between a virus and a trojan.
tsk...tsk...

Jesus this guy is a right wanker !!!

*plonk*

 

[Frederic Bonroy]

*I* consider a virus to be something that is an unsolicited
maliciously-created entity.

What *you* consider a virus to be is however *completely* irrelevant.

Words have a meaning.

 

[Bill]

What *you* consider a virus to be is however *completely* irrelevant.

Words have a meaning.

Bonroy! been awhile since I visited acv. I see we have a whole new bunch
of newbies to find annoying. How the hell have you been?

 

[Tx2]

Perhaps you do but Bart was referring to actual viruses, which I might
add that he is correct.

Pedantic is one word (amongst others) that comes to mind.

 

[Frederic Bonroy]

Bonroy! been awhile since I visited acv. I see we have a whole new bunch
of newbies to find annoying. How the hell have you been?

Let's face it: this newsgroup is boring and not even the occasional spat
with freshmen can obscure that fact. I can't blame you for having been
absent.

 

[Bill]

Let's face it: this newsgroup is boring and not even the occasional spat
with freshmen can obscure that fact. I can't blame you for having been
absent.

Well, I do have other interests and usenet is a big place.

 

[kurt wismer]

Why don't you just **** off criticising? The site has been cleaned up,
the correct site now shows, so there are no longer any 'threats'

I use NOD32, and NOD32 reported a lot of activity on that site when it
was both loaded in IE and Firefox at the time

you are clearly uninformed...

nod32 did not report viral activity, it's not an 'activity' monitor, it
reported access to suspect files - this in inherent when the browser
fetches suspicious objects referenced by the page it's loading... the
files were not necessarily activated under either browser, simply
written to your cache (something browsers do to speed up accessing that
page in the future)...

it is certainly not good to leave such files sitting around on your
computer, and there are some setups that are vulnerable to things like
the byteverify exploit (specifically if you're microsoft's java virtual
machine and haven't patched this hole thats over a year old), but you
definitely misrepresented the threat posed by it when you stating that
it 'affected' both IE and firefox as the results you were seeing were
due to normal browser activity and didn't actually indicate a
successful compromise of your security...

 

[kurt wismer]

They are the same thing.
*I* consider a virus to be something that is an unsolicited
maliciously-created entity.

and i consider a virus to be anything that is blue...

personal definitions of things are *so* useful, aren't they?

 

[Gabriele Neukam]

On that special day, aD, ([email protected]) said...

My NAV says:
GetAccess.class: Trojan.ByteVerify

A JScript trick, or likes of it. Oooooold news. Should be fixed for more
than a year in your browser, and not hurt.


Gabriele Neukam

(e-mail address removed)