New virus?

Rabellino Sergio rabellino at DI.UNITO.IT
Tue May 11 15:17:42 IST 2004


Remco Barendse wrote:
> We are receiving messages that contain only a link in the body. I cannot
> confirm it is a virus but it is mass mailed and is pretending to be
> something else.
>
> This is the complete contents of the df file of the virus (I would NOT
> open the url on a Winblows box!):
>
> <HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial
> size=2><BR><A href="http://drs.yahoo.com/ecem.com/NEWS/*http://
> www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/ecem.com/NEWS">http://drs.yahoo.com/ecem.com/NE
> WS</A></FONT></DIV></BODY></HTML>
>
> It is not detected up by 3 different virus scanner and I could not
> find any info about it in google.
>
> I tried downloading the webpage but did not succeed.
>
> Can we block such constructed url's in MailScanner?
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
I received them too, with the "pasted" url after the drs.yahoo.com taken from my domain.
Using Solaris browser I've checked the url without any feedback other than a redirect onto the yahoo homepage, but the
test is not exaustive at all.
The url is variant and so it's harder to catch.

--
Dott. Sergio Rabellino

  Technical Staff
  Department of Computer Science
  University of Torino (Italy)

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list