New virus?

Rose, Bobby brose at MED.WAYNE.EDU
Tue May 11 16:48:31 IST 2004


http://counter.spros.com/1/ has some files that are doing some rewrites.

RewriteCond %{HTTP_REFERER} !^http://.+\.spros\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://spros\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.boobsandtits\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://boobsandtits\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.porntetris\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://porntetris\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.leannalovelace\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://leannalovelace\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.brookeburn\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://brookeburn\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.bodaciousbabette\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://bodaciousbabette\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.nursemania\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://nursemania\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.hotadultseries\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://hotadultseries\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.freshpicseries\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://freshpicseries\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.premiumpost\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://premiumpost\.com/* [NC]

RewriteCond %{HTTP_REFERER} !^http://.+\.pixpox\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://pixpox\.com/* [NC]


RewriteRule .*\.(htm|html)$ http://66.90.87.210/xyz.html [R,NC]

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Remco Barendse
Sent: Tuesday, May 11, 2004 11:39 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: New virus?

It's really strange, 3 different people report 3 different destinations
with this thing.

I ended up at the Spanish ISP's web page too (Terra) not the pr0n page
Julian found (guess I isn't my lucky day :) but anyways)

I tried ClamAV, mcafee and f-prot so far, neither of those 3 is picking
them up, even after the latest updates.


On Tue, 11 May 2004, Martin Hepworth wrote:

> Remco
>
> Clamav catches it... sophos doesn't - have sent off samples..
>
> also a bagle zip varient hitting my site - no passwd image where there

> should be one and the zip isn't encrypted so it sails past MS. Looks 
> like a broken one..
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Remco Barendse wrote:
> > We are receiving messages that contain only a link in the body. I 
> > cannot confirm it is a virus but it is mass mailed and is pretending

> > to be something else.
> >
> > This is the complete contents of the df file of the virus (I would 
> > NOT open the url on a Winblows box!):
> >
> > <HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial 
> > size=2><BR><A href="http://drs.yahoo.com/ecem.com/NEWS/*http://
> > www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs
> > .yahoo.com/ecem.com/NEWS">http://drs.yahoo.com/ecem.com/NE
> > WS</A></FONT></DIV></BODY></HTML>
> >
> > It is not detected up by 3 different virus scanner and I could not 
> > find any info about it in google.
> >
> > I tried downloading the webpage but did not succeed.
> >
> > Can we block such constructed url's in MailScanner?
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the system manager.
>
> This footnote confirms that this email message has been swept for the 
> presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html




More information about the MailScanner mailing list