-
Categories
-
Platforms
-
Content
Electrostatics mistakes, Capacitance independence from dielectric
- Thread starter [email protected]
- Start date
Your English is crap, and there is no math in your crazy ranting. You
will go in my kill file. You are crazy.
E
Eeyore
There's a virus there. VBS/Redlof
Graham
M
Michael A. Terrell
You'll have to come back next year, since we've already bagged our
limit on idiots for this year.
--
Service to my country? Been there, Done that, and I've got my DD214 to
prove it.
Member of DAV #85.
Michael A. Terrell
Central Florida
P
Paul Hovnanian P.E.
Eeyore said:
Darn. Another thing that's not supported on my Linux system.
L
Lostgallifreyan
This is why I have Proximtron replave VBscript with FucktardScript. It's
perfect for cases like this one. A look at his pages source shows a large
wodge of binary executable code. It's a deliberate attempt to infect
people's machines. It's the kind of thing that makes spam look like the
trivia it is, so if some of those who are keen to stamp out spam in these
groups were to get on the case of this thing, it might be time well spent.
L
Lostgallifreyan
(Proxomitron..)
Noit that I reposted just to correct that dumb typo.
I've decided toforward that URL to the Topcites abuse section. I think they'll want that
stopped ASAP especially as this isn't the first time this has been
attempted by the same person.
L
Lostgallifreyan
Hmmm.. It's not exactly a Geocities clone The 'abuse section' might well
be one guy Kenny Jou ([email protected]), according to a DirectNIC
whois test of topcities.com.
I sent him the following message:
[BEGIN]
"Abuse of Topcities hosting. Deliberate viral infector."
http://ansari1.topcities.com/
Please NUKE this guy's account and do usenet a favour!
The person leasing that domain is deliberately trying to get people on
usenet (and maybe other systems) to visit his site, on which he hosts a
VisualBasic script with a large block of executable binary code designed to
infect people with a virus that several people have independently
identified as VBS/Redlof. I ignored the first time this idiot did this a
couple of weeks ago, but it shouldn't be left unchecked.
Please nuke his account, I don't think there's any need to ask him nicely
or to give him a chance to change the script, he probably had to work to
put it there.
[END]
If anyone can do better than this and is feeling petulant and with time to
spare, have at it.
The 'abuse section' might wellbe one guy Kenny Jou ([email protected]), according to a DirectNIC
whois test of topcities.com.
I sent him the following message:
[BEGIN]
"Abuse of Topcities hosting. Deliberate viral infector."
http://ansari1.topcities.com/
Please NUKE this guy's account and do usenet a favour!
The person leasing that domain is deliberately trying to get people on
usenet (and maybe other systems) to visit his site, on which he hosts a
VisualBasic script with a large block of executable binary code designed to
infect people with a virus that several people have independently
identified as VBS/Redlof. I ignored the first time this idiot did this a
couple of weeks ago, but it shouldn't be left unchecked.
Please nuke his account, I don't think there's any need to ask him nicely
or to give him a chance to change the script, he probably had to work to
put it there.
[END]
If anyone can do better than this and is feeling petulant and with time to
spare, have at it.
Lostgallifreyan said:
VIRUS NAME : VBS/Redlof@M
Virus Characteristics
This is a file infecting VBScript that sets a default, infected,
stationary file for the Microsoft Outlook and Outlook Express email
client programs. It exploits the Microsoft VM ActiveX Component
Vulnerability.
The script arrives in an email message, hidden from the user, or can be
present on websites that contain infected .HTM files. The virus uses
the BODY ONLOAD event to trigger the infection. .HTM, and .HTT files on
the local system are infected by appending them with the encrypted,
viral code. .HTT files are prepended with the BODY ONLOAD trigger,
while this action is placed at the beginning of the virus body in .HTM
files. The default mail account is retrieved from the registry and a
stationary file is created, "BLANK.HTM", and is set as the default
stationary file.
*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm
*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail "Wide Stationery Name=C:\Program Files\Common
Files\Microsoft Shared\Stationery\blank.htm
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet
Settings\
0a0d020000000000c000000000000046\001e0360=blank
* HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\
MailSettings\NewStationery=blank
The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS
SYSTEM directory and a registry run key is created to load the script
at startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll
This is effective due to the fact that several other registry keys are
created to re-associate .DLL files with the WSCRIPT.EXE handler.
* HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
(Default)=VBScript
* HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\
(Default)={85131631-480C-11D2-B1F9-00C04F86C324}
* HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\
(Default)=C:\WINDOWS\WScript.exe "%1" %*
* HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHandlers\
WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}
Symptoms
- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents
Method Of Infection
This worm exploits a Microsoft Internet Explorer vulnerability to
infect .HTM documents and configure email clients to include an
infected document along with each message that is sent out.
M
Mike Monett
Lostgallifreyan said:Noit that I reposted just to correct that dumb typo.
to forward that URL to the Topcites abuse section. I think they'll
want that stopped ASAP especially as this isn't the first time this
has been attempted by the same person.
That will be the second or third report. I also filed a report earlier this
morning when it first appeared.
Regards,
Mike Monett
Antiviral Antibacterial Silver Solution:
http://silversol.freewebpage.org/index.htm
SPICE Analysis of Crystal Oscillators:
http://silversol.freewebpage.org/spice/xtal/clapp.htm
Noise-Rejecting Wideband Sampler:
http://www3.sympatico.ca/add.automation/sampler/intro.htm
R
Rich Grise
Me said:
He doesn't even try to hide it!
-----<quote>-----
<script language="vbscript">
ExeString =
"<bunch of binary crap>...
-----</quote>-----
Cheers!
Rich
R
Rich Grise
And you've looked.
Better run your virus scanner!
Good Luck!
Rich
L
Lostgallifreyan
[email protected] wrote in
So you're saying it maybe isn't deliberate? Ok, but that guy was told last
time, and has done nothing to secure his system, and everything to try to
get people to click his infected page. How far should people be protected
from their own folly? This time others need protection from him.
So you're saying it maybe isn't deliberate? Ok, but that guy was told last
time, and has done nothing to secure his system, and everything to try to
get people to click his infected page. How far should people be protected
from their own folly? This time others need protection from him.
L
Lostgallifreyan
Yep, I think mike j harvey is right, it's probably not deliberate, he just
got infected. Even so, he's been told before, has done nothing except
repost attempts to get people to visit the infected page, so he needs to be
stopped cos he can't help himself.
Mike Monett has the right idea. Ithink if there are more reports, someone will stop it at source.
Lostgallifreyan said:
I didn't actually mean to imply ***anything at all*** about whether his
site was knowingly infected by him or not. I merely copied-and-pasted
the description of this virus from a website namely
http://www.virus-scan-software.com/latest-virus-software/latest-viruses/vbsredlof-m.shtml
He seems so crazy that it seems feasible that he knows nothing about
the virus, although if you go to Google Groups and look at "messages by
this author" you'll see that until very recently he was using Geocities
for his crazy pages. The address (now unavailable) was:-
http://www.geocities.com/hamid_vasigh_ansari
L
Lostgallifreyan
[email protected] wrote in
Yes. Graham (Eeyore) posted that to bring attention to the earlier thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.
I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.
Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.
Yes. Graham (Eeyore) posted that to bring attention to the earlier thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.
I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.
Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.
Yes. Graham (Eeyore) posted that to bring attention to the earlier thread.
Maybe ansari don't have a clue regarding viruses.
Clueless webbhotel?
If the country won't handle abuse properly, there's always the option to
promote netblocking of it.
Maybe ansari don't have a clue regarding viruses.
Clueless webbhotel?
If the country won't handle abuse properly, there's always the option to
promote netblocking of it.
I
ian field
Maybe ansari don't have a clue regarding viruses.
Clueless webbhotel?
If the country won't handle abuse properly, there's always the option to
promote netblocking of it.
CAUTION!
Can anyone check my reply is clean?
AVG seems to be struggling a bit with this one!!!
E
Eeyore
ian said:
Nothing here but I'm sure news needs an attachment to carry a virus.
If your AVG was up to date you were fine.
Graham
I
ian field
Eeyore said:
AVG updated earlier today - when I scanned after the warning about the
infected link it found the VB virus but halted with an error when I clicked
"heal", and when I clicked "move to virus vault" the PC appeared to lock up!
However the lock up may have been the NiMh's in the wireless mouse giving
out at the most inconvenient time possible!! The scan I've just done reports
clean (fingers crossed!).
Thanks for checking by.
