reporting a new site / file for inclusion in MWAS signatures?

  • Thread starter Karl Levinson MS MVP
  • Start date
K

Karl Levinson MS MVP

I've read the MWAS beta FAQ, searched google and read
through these newsgroups. [I didn't see a search function
to search these groups.] I read that joining Spynet
allows you to report spyware, but I'm still not clear how
or whether someone like me who is not running MWAS can
report spyware or check to see whether a site or malware
is already blocked by MWAS.

I would like to submit the following site and/or file for
inclusion in the MWAS signatures. The following site is
currently hosting a malicious file that abuses the
security issue in the ADODB.stream method to do who knows
what. There seems to be little if any discussion of this
site per a Google search.

hostile site:

http://www.ncontextsearch.com /nop2//ADL.CHM
[remove the space after the domain name]

From my Windows event log:

"Event Type: Information
Event Source: ITSS
Event Category: None
Event ID: 1
Date: 8/26/2005
Time: 11:11:53 AM
User: N/A
Computer:
Description:
The description for Event ID ( 1 ) in Source ( ITSS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. The following
information is part of the event: mhtml:file://C:\foo.mht!
http://www.ncontextsearch.com/nop2//ADL.CHM,
http://go.microsoft.com/fwlink?LinkID=45834."

This site has also hosted similar files in the past, as
the links below demonstrate.

http://www.eggheadcafe.com/forums/ForumPost.asp?
ID=29079&INTID=3

http://translate.google.com/translate?
hl=en&sl=de&u=http://www.mtb-
news.de/forum/archive/index.php/t-176716.html&prev=/search%
3Fq%3D%2522www.ncontextsearch.com%2522%26hl%3Den%26lr%3D%
26c2coff%3D1%26safe%3Doff

http://groups.google.com/group/news.admin.net-
abuse.sightings/browse_frm/thread/cdca098a605fe65c/ce5b738e
573f750a?lnk=st&q=%22www.ncontextsearch.com%
22&rnum=1&hl=en#ce5b738e573f750a

Here's what www.virustotal.com had to say about this file:

This is a report processed by VirusTotal on 08/26/2005 at
21:51:14 (CET) after scanning the file "ADL.CHM" file.

Antivirus Version Update Result
AntiVir 6.31.1.0 08.26.2005 no virus found
Avast 4.6.695.0 08.26.2005 no virus found
AVG 718 08.26.2005 no virus found
Avira 6.31.1.0 08.26.2005 no virus found
BitDefender 7.0 08.26.2005 Exploit.ADODB.Stream.Gen
CAT-QuickHeal 8.00 08.26.2005 no virus found
ClamAV devel-20050725 08.26.2005 Exploit.ADODB.Stream.Gen
DrWeb 4.32b 08.26.2005 no virus found
eTrust-Iris 7.1.194.0 08.25.2005 no virus found
eTrust-Vet 11.9.1.0 08.26.2005 no virus found
Fortinet 2.41.0.0 08.26.2005 VBS/Psyme.X-tr
F-Prot 3.16c 08.25.2005 no virus found
Ikarus 0.2.59.0 08.26.2005 no virus found
Kaspersky 4.0.2.24 08.26.2005 Trojan-
Downloader.VBS.Psyme.x
McAfee 4568 08.26.2005 VBS/Psyme
NOD32v2 1.1202 08.25.2005 VBS/Psyme.W.gen
Norman 5.70.10 08.26.2005 no virus found
Panda 8.02.00 08.26.2005 no virus found
Sophos 3.97.0 08.26.2005 Troj/Psyme-AS
Sybari 7.5.1314 08.26.2005 Trojan-Downloader.VBS.Psyme.x
Symantec 8.0 08.25.2005 no virus found
TheHacker 5.8.2.095 08.26.2005 no virus found
VBA32 3.10.4 08.26.2005 Trojan-Downloader.VBS.Psyme.y

I would gladly have contacted the site itself to inform
them, in case they are unaware that this file is on their
web site, but they don't seem to want anyone contacting
them, as there is no contact information on their web
stie, which seems deceptive. Haven't bothered doing a
whois lookup to try to contact them.

kind regards,

Karl Levinson, MS Security MVP
email: (e-mail address removed)
 
B

Bill Sanderson

Thanks, Karl. The Tools, suspected spyware report is a way to get a
snapshot of an infected system to Spynet. However, this doesn't transmit
any binaries, and it fails on some systems due to a bug in beta1.

I do know that some MVP's have a channel to get this information to
Microsoft, including Jane Whitty (Calamity Jane) and Steve Wechsler.

I'll pass this message along as well.

--

Karl Levinson MS MVP said:
I've read the MWAS beta FAQ, searched google and read
through these newsgroups. [I didn't see a search function
to search these groups.] I read that joining Spynet
allows you to report spyware, but I'm still not clear how
or whether someone like me who is not running MWAS can
report spyware or check to see whether a site or malware
is already blocked by MWAS.

I would like to submit the following site and/or file for
inclusion in the MWAS signatures. The following site is
currently hosting a malicious file that abuses the
security issue in the ADODB.stream method to do who knows
what. There seems to be little if any discussion of this
site per a Google search.

hostile site:

http://www.ncontextsearch.com /nop2//ADL.CHM
[remove the space after the domain name]

From my Windows event log:

"Event Type: Information
Event Source: ITSS
Event Category: None
Event ID: 1
Date: 8/26/2005
Time: 11:11:53 AM
User: N/A
Computer:
Description:
The description for Event ID ( 1 ) in Source ( ITSS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. The following
information is part of the event: mhtml:file://C:\foo.mht!
http://www.ncontextsearch.com/nop2//ADL.CHM,
http://go.microsoft.com/fwlink?LinkID=45834."

This site has also hosted similar files in the past, as
the links below demonstrate.

http://www.eggheadcafe.com/forums/ForumPost.asp?
ID=29079&INTID=3

http://translate.google.com/translate?
hl=en&sl=de&u=http://www.mtb-
news.de/forum/archive/index.php/t-176716.html&prev=/search%
3Fq%3D%2522www.ncontextsearch.com%2522%26hl%3Den%26lr%3D%
26c2coff%3D1%26safe%3Doff

http://groups.google.com/group/news.admin.net-
abuse.sightings/browse_frm/thread/cdca098a605fe65c/ce5b738e
573f750a?lnk=st&q=%22www.ncontextsearch.com%
22&rnum=1&hl=en#ce5b738e573f750a

Here's what www.virustotal.com had to say about this file:

This is a report processed by VirusTotal on 08/26/2005 at
21:51:14 (CET) after scanning the file "ADL.CHM" file.

Antivirus Version Update Result
AntiVir 6.31.1.0 08.26.2005 no virus found
Avast 4.6.695.0 08.26.2005 no virus found
AVG 718 08.26.2005 no virus found
Avira 6.31.1.0 08.26.2005 no virus found
BitDefender 7.0 08.26.2005 Exploit.ADODB.Stream.Gen
CAT-QuickHeal 8.00 08.26.2005 no virus found
ClamAV devel-20050725 08.26.2005 Exploit.ADODB.Stream.Gen
DrWeb 4.32b 08.26.2005 no virus found
eTrust-Iris 7.1.194.0 08.25.2005 no virus found
eTrust-Vet 11.9.1.0 08.26.2005 no virus found
Fortinet 2.41.0.0 08.26.2005 VBS/Psyme.X-tr
F-Prot 3.16c 08.25.2005 no virus found
Ikarus 0.2.59.0 08.26.2005 no virus found
Kaspersky 4.0.2.24 08.26.2005 Trojan-
Downloader.VBS.Psyme.x
McAfee 4568 08.26.2005 VBS/Psyme
NOD32v2 1.1202 08.25.2005 VBS/Psyme.W.gen
Norman 5.70.10 08.26.2005 no virus found
Panda 8.02.00 08.26.2005 no virus found
Sophos 3.97.0 08.26.2005 Troj/Psyme-AS
Sybari 7.5.1314 08.26.2005 Trojan-Downloader.VBS.Psyme.x
Symantec 8.0 08.25.2005 no virus found
TheHacker 5.8.2.095 08.26.2005 no virus found
VBA32 3.10.4 08.26.2005 Trojan-Downloader.VBS.Psyme.y

I would gladly have contacted the site itself to inform
them, in case they are unaware that this file is on their
web site, but they don't seem to want anyone contacting
them, as there is no contact information on their web
stie, which seems deceptive. Haven't bothered doing a
whois lookup to try to contact them.

kind regards,

Karl Levinson, MS Security MVP
email: (e-mail address removed)
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Patches for Zero-Day Vulnerability ineffective? 12
A Steganography sample malware 141
Threat Simulator 6
Possible virus discovery (in IE cache -> .hlp files) 8
Win32:Mhtplo-10 - False positive? 1
Add a XML file to the root directory of your site. 1
SVCHOST 0
File sharing not allowed in Vista 14

Top