latest spam postings

[sgopus]

you would think that MS would have blocked or removed this latest batch of
615 spams about warez&Games, most likely they contain some virus and malware
along with spyware, hopefully nobody tries to open them.

 

[Mark Adams]

you would think that MS would have blocked or removed this latest batch of
615 spams about warez&Games, most likely they contain some virus and malware
along with spyware, hopefully nobody tries to open them.

Geeeeezzzz, I did. Filled my PC with all kinds of garbage. Now I guess I'll
have to reformat. Oh, well it'll give "Alias" a lot to laugh about. I guess I
should have installed Linnux! ;-)

 

[John]

I see all 615 of them but didn't open any. Judging by Mort's reply (he/she
doesn't know what you're talking about), I'd say MS has removed all of them.

 

[Meebers]

When I seen them, I blocked the sender, should not have done that. But
immediately scanned for Malware and found this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL
(Fake.Driver) -> Quarantined and deleted successfully

 

[David H. Lipman]

From: "sgopus" <[email protected]>

| you would think that MS would have blocked or removed this latest batch of
| 615 spams about warez&Games, most likely they contain some virus and malware
| along with spyware, hopefully nobody tries to open them.

That was NOT spam.

That was a malware stream.

What you saw was only the third part of a 3 part multi-post. The MS News Server limits
the size of attachments and thus blocked posts for parts 1 and 2. However post part 3 was
small enough to make it to the server.

Combined they comprised of a RAR file that contained an EXE. That EXE was extremely
poorly detected.

http://www.virustotal.com/analisis/b977bacf32bbe0ee034c503de03f4231

Norman 6.00.06 2009.03.10 W32/Smalldoor.DRWN

What was detected did NOT reflect the fact its was a password/data stealer.
The data stolen would be would use FTP to post the data to a FTP server in Germany.

Files created:
%Temp%\cho.txt
%Temp%\fire.txt
%Temp%\ie.txt
%Temp%\key.txt
%Temp%\dial.txt
%Temp%\mail.txt
%Temp%\msg.txt
%Temp%\ps.txt
%Temp%\ste.txt
%Temp%\%UserName%@%ComputerName%.html

FTP Connection:
ftp.wuda101.wu.ohost.de:21
Username: wuda101
Password: wudxxxxxx { password obfucasted to protect user data }

Otherwise your basic "SC Lite Stealer" based trojan.

 

[David H. Lipman]

From: "Meebers" <[email protected]>

| When I seen them, I blocked the sender, should not have done that. But
| immediately scanned for Malware and found this:
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL
| (Fake.Driver) -> Quarantined and deleted successfully


Had NOTHING to do with the posted files!

 

[Meebers]

I guess that is good news for me.....but should have my malware scan picked
up something?

 

[David H. Lipman]

From: "Meebers" <[email protected]>

| I guess that is good news for me.....but should have my malware scan picked
| up something?

No. Did you read my other post ?

"What you saw was only the third part of a 3 part multi-post. The MS News Server limits
the size of attachments and thus blocked posts for parts 1 and 2. However post part 3 was
small enough to make it to the server."

Since the file was embedded in a RAR and was broken into three parts and only the third
part (~62KB) made it to the MS News Server, there was nothing really to be detected. You
would have had to have all three posted parts and then combined them to even get the RAR
file.

BTW: when you posted "...scanned for Malware and found this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL "

Was that MalwareBytes Anti Malware that detected the above ?

 

[Meebers]

YES

BTW: when you posted "...scanned for Malware and found this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL "

Was that MalwareBytes Anti Malware that detected the above ?>

 

[David H. Lipman]

From: "Meebers" <[email protected]>

| YES

Possible False Positive declaration by MBAM. I have sent the MBAM team a note on this.

 

[David H. Lipman]

From: "Meebers" <[email protected]>

| YES

This was a False Positive and the MBAM team has fixed it.

 

[BillW50]

In Meebers typed on Tue, 10 Mar 2009 20:08:54 -0400:

When I seen them, I blocked the sender, should not have done that. But
immediately scanned for Malware and found this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL
(Fake.Driver) -> Quarantined and deleted successfully

How can that be? They are encoded and Outlook Express can't decode them.

--
Bill
2 Gateway MX6124 - Windows XP SP2
3 Asus EEE PC 701G4 ~ 2GB RAM ~ 16GB-SDHC
2 Asus EEE PC 702G8 ~ 1GB RAM ~ 16GB-SDHC
Windows XP SP2 ~ Xandros Linux - Puppy - Ubuntu

 

[PA20Pilot]

Hi,

".....I see all 615.....I'd say MS has removed all of them."

Atually there were closer to two hundred of them, and it wasn't M$ that
made them go away from microsoft.public.windowsxp.general, it was me. If
you still see them here it's just because your reader loaded the headers
before I got rid if them, they're gone for everyone later. I blasted
them around 4:30 this afternoon.

No, it wasn't me that posted them in the first place, but I like reading
around here enough to do a little maintenance every once in a while.

---==X={}=X==---

Jim Self

AVIATION ANIMATION, the internet's largest depository.
http://avanimation.avsupport.com

Your only internet source for spiral staircase plans.
http://jself.com/stair/Stair.htm

Experimental Aircraft Association #140897
EAA Technical Counselor #4562

 

[John]

Or they've been removed by my Usenet news server.

Good point.

 

[sgopus]

Thanks for the link to that site, that could be VERY useful

 

[David H. Lipman]

From: "sgopus" <[email protected]>

| Thanks for the link to that site, that could be VERY useful

Yes, it has been provided to http://www.cert-bund.de/
Add that to the CODESOFT stealer