Virus laden site

[Tx2]

The BBC has an article relating to alcohol "binge drinking" on it's site
at http://news.bbc.co.uk/1/hi/health/4003229.stm

This site links to http://www.drinkaware.co.uk/

The latter seems to redirect to www.sp2fucked.biz which is laden with
viruses.

One to avoid if you have IE as it doesn't seem to affect Firefox

 

[Tx2]

The BBC has an article relating to alcohol "binge drinking" on it's site
at http://news.bbc.co.uk/1/hi/health/4003229.stm

This site links to http://www.drinkaware.co.uk/

The latter seems to redirect to www.sp2fucked.biz which is laden with
viruses.

One to avoid if you have IE as it doesn't seem to affect Firefox

Scrub that, it hits Firefox as well.

 

[optikl]

Scrub that, it hits Firefox as well.

How? Because of Lava scripting being enabled? Or is there some Windows
vulnerability that Firefox can't avoid?

 

[aD]

Scrub that, it hits Firefox as well.

"Hits"? I just got a download file prompt which I cancelled.


aD

 

[Tx2]

"Hits"? I just got a download file prompt which I cancelled.

Oh FFS ... if you are going to pick ****ing holes, then i won't bother
posting warnings .... bollocks to you.

 

[Tx2]

How? Because of Lava scripting being enabled? Or is there some Windows
vulnerability that Firefox can't avoid?

I don't know, but simply loading (or attempting to load) the page in
Firefox resulted in my NOD32 springing into action ...

I know not, nor want to, the inner workings, except to say the said URL
is (was?) a virus source.

 

[aD]

I don't know, but simply loading (or attempting to load) the page in
Firefox resulted in my NOD32 springing into action ...

I know not, nor want to, the inner workings, except to say the said URL
is (was?) a virus source.

Ah, maybe NOD32 is smart enough to notice that Firefox went to fetch the
URL and not necessarily download it.

aD

 

[David H. Lipman]

I didn't see a problem and I don't read Cyrillic.

Dave :-(




|
|
| The BBC has an article relating to alcohol "binge drinking" on it's site
| at http://news.bbc.co.uk/1/hi/health/4003229.stm
|
| This site links to http://www.drinkaware.co.uk/
|
| The latter seems to redirect to www.sp2fucked.biz which is laden with
| viruses.
|
| One to avoid if you have IE as it doesn't seem to affect Firefox

 

[Total Newbie]

How? Because of Lava scripting being enabled? Or is there some Windows
vulnerability that Firefox can't avoid?

-------------------------------------------------------------------

I have visited www.sp2fucked.biz using XP Corp SP2 and IE6 with Popupcop,
F-Secure Antivirus Client Security 5.54 and Webroot Spy Sweeper 3.2.147 all
running in an attempt to identify the viruses from this site. Whatever I
click on the site, I cannot get a virus or spyware warning. Are you sure
this site is laden with viruses??? Please identify the viruses for me if
you can.

Thanks.

 

[Bart Bailey]

I know not, nor want to, the inner workings, except to say the said URL
is (was?) a virus source.

Now that's a prime example of the kind of arrant fool that inspires
malware authors. <g>

BTW: the site by itself does NOTHING!
Just a come on to get you to install a spyware toolbar and seems to have
a phishing component as well.

 

[Bart Bailey]

Or is there some Windows
vulnerability that Firefox can't avoid?

It's a case of a better mouse <g>

 

[aD]

-------------------------------------------------------------------

I have visited www.sp2fucked.biz using XP Corp SP2 and IE6 with Popupcop,
F-Secure Antivirus Client Security 5.54 and Webroot Spy Sweeper 3.2.147 all
running in an attempt to identify the viruses from this site. Whatever I
click on the site, I cannot get a virus or spyware warning. Are you sure
this site is laden with viruses??? Please identify the viruses for me if
you can.

When I looked at the web page it didn't fetch any URLs with sp2fucked.biz
in them, maybe it gets different pages each time. There was definitely
virual content present though.


aD

 

[Tx2]

Now that's a prime example of the kind of arrant fool that inspires
malware authors. <g>

Rubbish, <g> or not ...

I don't know, and don't want to know, because i don't understand how to
know, and specialising in other areas of IT, don't have time to know.

What i do ensure however, is that my system is as secure as i can make
it, so how i inspire malware authors is a wild guess.

FFS, i post a heads up, and unappreciative people do nothing but
criticise!

BTW: the site by itself does NOTHING!

If you say so ...

Just a come on to get you to install a spyware toolbar and seems to have
a phishing component as well

Whatever - NOD32 who i trust a damn site more than i ever will your
judgement, suggests otherwise.

 

[Tx2]

I have visited www.sp2fucked.biz using XP Corp SP2 and IE6 with Popupcop,
F-Secure Antivirus Client Security 5.54 and Webroot Spy Sweeper 3.2.147 all
running in an attempt to identify the viruses from this site. Whatever I
click on the site, I cannot get a virus or spyware warning. Are you sure
this site is laden with viruses??? Please identify the viruses for me if
you can.

The site webmaster has been informed of the problems, and AFAIAA, they
have temporarily taken down the site, as has the BBC removed the link i
believe.

A slice of the NOD32 log shown below ... do with it what you will.


http://www.sp2fucked.biz/user1/new/GetAccess.class
Java/Exploit.Bytverify.F trojan connection terminated

http://www.sp2fucked.biz/user1/new/GetAccess.class
Java/Exploit.Bytverify.F trojan connection terminated

http://www.sp2fucked.biz/user1/new/classload.jar
multiple infiltrations connection terminated

http://www.sp2fucked.biz/user1/new/GetAccess.class
Java/Exploit.Bytverify.F trojan connection terminated

http://www.sp2fucked.biz/user1/****.htm
HTML/Exploit.ObjData trojan connection terminated

http://www.sp2fucked.biz/user1/new/GetAccess.class
Java/Exploit.Bytverify.F trojan connection terminated

http://www.sp2fucked.biz/user1/exploit.htm
HTML/Exploit.Mht.A trojan connection terminated

http://www.sp2fucked.biz/user1/new/classload.jar
multiple infiltrations connection terminated

http://www.sp2fucked.biz/user1/****.htm
HTML/Exploit.ObjData trojan connection terminated

http://www.sp2fucked.biz/user1/exploit.htm
HTML/Exploit.Mht.A trojan connection terminated

http://213.159.117.133/dl/loaderadv10.jar
multiple infiltrations connection terminated

http://www.sp2fucked.biz/user1/exploit.htm
HTML/Exploit.Mht.A trojan connection terminated

http://www.sp2fucked.biz/user1/new/classload.jar
multiple infiltrations connection terminated

http://www.sp2fucked.biz/user1/****.htm
HTML/Exploit.ObjData trojan connection terminated

http://www.sp2fucked.biz/user1/new/classload.jar
multiple infiltrations connection terminated

 

[Gabriele Neukam]

On that special day, aD, ([email protected]) said...

When I looked at the web page it didn't fetch any URLs with sp2fucked.biz
in them, maybe it gets different pages each time. There was definitely
virual content present though.

Are you sure that your hosts file is still good?


Gabriele Neukam

(e-mail address removed)

 

[aD]

On that special day, aD, ([email protected]) said...




Are you sure that your hosts file is still good?

My hosts file is checked frequently with it's GPG detached signature file
and the user account I use day-to-day doesn't have access to change it

But I have checked anyway and it looks fine.

This is the list of URLs that were dispatched when I visited the site:
(Excuse the quoting, it will stop the URLs being wrapped)

Nov 12 12:01:58 Privoxy(02872) Request: www.drinkaware.co.uk/
Nov 12 12:02:00 Privoxy(01108) Request: www.drinkaware.co.uk/includes/drinkstyle.css
Nov 12 12:02:01 Privoxy(01108) Request: www.drinkaware.co.uk/includes/basics.js
Nov 12 12:02:02 Privoxy(02888) Request: www.drinkaware.co.uk/images/menu1.gif
Nov 12 12:02:02 Privoxy(02884) Request: www.drinkaware.co.uk/images/greyspacer.gif
Nov 12 12:02:02 Privoxy(02880) Request: www.drinkaware.co.uk/images/search.gif
Nov 12 12:02:02 Privoxy(01108) Request: www.drinkaware.co.uk/images/logo.gif
Nov 12 12:02:02 Privoxy(02884) Request: www.drinkaware.co.uk/images/menu2.gif
Nov 12 12:02:02 Privoxy(02880) Request: www.drinkaware.co.uk/images/menu3.gif
Nov 12 12:02:02 Privoxy(02888) Request: www.drinkaware.co.uk/images/menu4.gif
Nov 12 12:02:02 Privoxy(02900) Request: www.drinkaware.co.uk/images/menu5.gif
Nov 12 12:02:02 Privoxy(02896) Request: www.drinkaware.co.uk/images/menu6.gif
Nov 12 12:02:02 Privoxy(02880) Request: www.drinkaware.co.uk/images/menu7.gif
Nov 12 12:02:02 Privoxy(02900) Request: www.drinkaware.co.uk/images/home_img.jpg
Nov 12 12:02:02 Privoxy(02888) Request: www.drinkaware.co.uk/images/home_title.gif
Nov 12 12:02:02 Privoxy(02880) Request: www.drinkaware.co.uk/images/ftitle1.gif
Nov 12 12:02:02 Privoxy(02896) Request: www.drinkaware.co.uk/images/fimg1.jpg
Nov 12 12:02:02 Privoxy(02888) Request: www.drinkaware.co.uk/images/ftitle2.gif
Nov 12 12:02:02 Privoxy(02880) Request: www.drinkaware.co.uk/images/fimg2.jpg
Nov 12 12:02:02 Privoxy(02896) Request: www.drinkaware.co.uk/images/ftitle3.gif
Nov 12 12:02:02 Privoxy(02888) Request: www.drinkaware.co.uk/images/fimg3.jpg
Nov 12 12:02:02 Privoxy(02880) Request: www.wizardsworldwide.com/chat/chat/...tp://www.****lynx.com/lynx/Boobs/bigtits.html
Nov 12 12:02:03 Privoxy(02880) Request: toolbarpartner.com/in.php?wm=less
Nov 12 12:02:06 Privoxy(02880) Request: find-on-the-net.com/cookie.php
Nov 12 12:02:06 Privoxy(02604) Request: 209.8.20.130/dl/adv218.php
Nov 12 12:02:06 Privoxy(02824) Request: teens-dream.com/i.php
Nov 12 12:02:06 Privoxy(02836) Request: toolbarpartner.com/i.php?wm=less&rn=1100260830&rf=http://www.drinkaware.co.uk/
Nov 12 12:02:08 Privoxy(02824) Request: 63.219.178.91/connect.cgi?id=990
Nov 12 12:02:08 Privoxy(02824) Request: juicyland.com/mc/asian/?user=vins10000&&rwcx=1&adult=1&wmid=990
Nov 12 12:02:12 Privoxy(02880) Request: juicyland.com/mc/asian/screen.css
Nov 12 12:02:14 Privoxy(02880) Request: juicyland.com/mc/asian/images/tnASIA1930.jpg
Nov 12 12:02:14 Privoxy(02792) Request: juicyland.com/mc/asian/images/logo_asian.gif
Nov 12 12:02:14 Privoxy(02648) Request: juicyland.com/mc/asian/images/tnASIA231.jpg
Nov 12 12:02:14 Privoxy(02804) Request: juicyland.com/mc/asian/images/tnASIA2337.jpg
Nov 12 12:02:14 Privoxy(02792) Request: juicyland.com/mc/asian/images/tnASIA23%7E2.jpg
Nov 12 12:02:14 Privoxy(02880) Request: juicyland.com/mc/asian/images/tnASIA1932.jpg
Nov 12 12:02:16 Privoxy(02712) Request: 217.73.66.1/del/cmb_260933.exe

After which I cancelled it, maybe sp2fucked.biz was used later on.

Also very little (bad) happened while I had Privoxy enabled, a web content
filtering program that I use. It only lets sites I say touch JavaScript so
I proxy IE, Firefox and Thunderbird through it.

aD

 

[aD]

FFS, i post a heads up, and unappreciative people do nothing but
criticise!

FWIW I wasn't aiming to slate/criticise you

Whatever - NOD32 who i trust a damn site more than i ever will your
judgement, suggests otherwise.

Amen to that!

aD

 

[Vanguard]

The BBC has an article relating to alcohol "binge drinking" on it's
site
at http://news.bbc.co.uk/1/hi/health/4003229.stm

This site links to http://www.drinkaware.co.uk/

The latter seems to redirect to www.sp2fucked.biz which is laden with
viruses.

One to avoid if you have IE as it doesn't seem to affect Firefox

Domain registration (from http://www.whois.biz/):

..BIZ Registry WHOIS Data
Domain Name SP2FUCKED.BIZ
Domain ID D7921805-BIZ
Sponsoring Registrar DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Sponsoring Registrar IANA ID 303
Domain Status clientTransferProhibited
Registrant ID DI_694049
Registrant Name Home
Registrant Organization Home
Registrant Address1 Home
Registrant City Home
Registrant Postal Code 66666
Registrant CountryAntigua and Barbuda
Registrant Country Code AG
Registrant Phone Number +91.226370256
Registrant Email (e-mail address removed)
Administrative Contact ID DI_694049
Administrative Contact Name Home
Administrative Contact Organization Home
Administrative Contact Address1 Home
Administrative Contact City Home
Administrative Contact Postal Code 66666
Administrative Contact Country Antigua and Barbuda
Administrative Contact Country Code AG
Administrative Contact Phone Number +91.226370256
Administrative Contact Email (e-mail address removed)
Billing Contact ID DI_694049
Billing Contact Name Home
Billing Contact Organization Home
Billing Contact Address1 Home
Billing Contact City Home
Billing Contact Postal Code 66666
Billing Contact Country Antigua and Barbuda
Billing Contact Country Code AG
Billing Contact Phone Number +91.226370256
Billing Contact Email (e-mail address removed)
Technical Contact ID DI_694049
Technical Contact Name Home
Technical Contact Organization Home
Technical Contact Address1 Home
Technical Contact City Home
Technical Contact Postal Code 66666
Technical Contact Country Antigua and Barbuda
Technical Contact Country Code AG
Technical Contact Phone Number +91.226370256
Technical Contact Email (e-mail address removed)
Name Server NS1.SP2FUCKED.BIZ
Name Server NS2.SP2FUCKED.BIZ
Created by Registrar DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Last Updated by Registrar DIRECT INFORMATION PVT. LTD., (D.B.A.
DIRECTI.COM)
Domain Registration Date Sat Oct 09 17:54:48 GMT 2004
Domain Expiration Date Sat Oct 08 23:59:59 GMT 2005
Domain Last Updated Date Sat Oct 09 17:57:44 GMT 2004

A traceroute to www.sp2fucked.biz (69.50.168.147) shows nlayer.net to be
their upstream provider. Did you bitch to nlayer.net about their
customer spreading viruses? nlayer.net is in Virginia USA (unlike the
sp2fucked.biz domain that *says* the registrant is in Antigua and
Barbuda). With the phony registrant data ("Home" in several of the
address fields), you could also complain to the .BIZ registrar
(DIRECTI.COM) to get that domain deleted but that registrar is in India
(and their tech support page requires Javascript - which my anonymous
proxy blocks). Their domain registration says to use (e-mail address removed)
to report [e-mail] abuse and also lists (e-mail address removed) for
their tech support contact.

 

[Bart Bailey]

Did you bitch to nlayer.net about their
customer spreading viruses?

Maybe they should confirm that this outfit is indeed spreading viral
material before making such a claim. Do an AV scan, identify suspect
files, give AV program used, def dates etc and what it reports as viral
to the ISP, otherwise they will come off as just another hysterical
uninformed alarmist, as they have in this newsgroup.

 

[Roger Wilco]

Oh FFS ... if you are going to pick ****ing holes, then i won't bother
posting warnings .... bollocks to you.

Well....adware trojans are not viruses anyway, but if anyone is collecting adware trojans you have hit a jackpot. It is
good to know that your AV is protecting you from these because they are not always only adware related exploits
and could have really been worms or viruses. Is there a place to report sites that have this sort of content?

Also, if your software is up-to-date then you probably aren't susceptible to these exploits. NOD32 will still alert
to the malware even so.