0shares.net
in [Viruses]
|
Prev: smallest virus?
Next: What is drmHeader.bin?
From: scotteh on 7 Dec 2007 13:13 Hi all Anyone seen/heard anything about 0shares.net? Someone in the office obviously ran this virus and it got past SAV. Now every email she sends out (with eudora) has something like this on the bottom: <br>---------------------------------------------------------------- <br> Take a look at yourself in my short video since our last meeting<br> <a href=http://0shares.net/flash/movie/getflash.php?id=cat>http:// 0shares.net/flash/movie/getflash.php?id=cat</a><br> OR ---------------------------------------------- Woohoo! Take a look at this! http://0shares.net/flash/movie/cat.exe It is not even visible in the original email in the Out Mailbox. I did a system scan with Symantic and found nothing. It's not in a signature file, and I couldnt find anything strange starting up in the normal RUN keys in the registry. Im sure it's in there somewhere but I dont even know what to search for. I tried 0shares and got nothing except some history URLs (where it obviously came from). Google and Yahoo and Symantec searches return absolutely nothing. Could this be brand new? Any ideas? Even obvious ones. I havent had to track down a virus in a couple of years and I dont even know where to start now. This is Win98 (yup), ie6, eudora is current, and the virus def file for SAV is current. Thanks Scott
From: jen on 7 Dec 2007 14:36 "scotteh" <scotteh(a)gmail.com> wrote in message news:e5674b29-86ec-431d-871a-6da81f7b0921(a)f3g2000hsg.googlegroups.com... > Hi all > Anyone seen/heard anything about 0shares.net? Someone in the office > obviously ran this virus and it got past SAV. Now every email she > sends out (with eudora) has something like this on the bottom: > <br>---------------------------------------------------------------- > <br> > Take a look at yourself in my short video since our last meeting<br> > <a href=http://0shares.net/flash/movie/getflash.php?id=cat>http:// > 0shares.net/flash/movie/getflash.php?id=cat</a><br> > OR > ---------------------------------------------- > Woohoo! Take a look at this! > http://0shares.net/flash/movie/cat.exe > It is not even visible in the original email in the Out Mailbox. I did > a system scan with Symantic and found nothing. It's not in a signature > file, and I couldnt find anything strange starting up in the normal > RUN keys in the registry. Im sure it's in there somewhere but I dont > even know what to search for. I tried 0shares and got nothing except > some history URLs (where it obviously came from). > Google and Yahoo and Symantec searches return absolutely nothing. > Could this be brand new? > Any ideas? Even obvious ones. I havent had to track down a virus in a > couple of years and I dont even know where to start now. > This is Win98 (yup), ie6, eudora is current, and the virus def file > for SAV is current. See here: http://www.robtex.com/dns/0shares.net.html http://www.robtex.com/whois/0shares.net.html Smells like variant of Storm to me... Hopefully, Ant will come along to enlighten us :) -jen
From: Ant on 7 Dec 2007 17:54 "jen" wrote: > "scotteh" wrote: >> hxxp://0shares.net/flash/movie/cat.exe > Smells like variant of Storm to me... Hopefully, Ant will come along > to enlighten us :) I'd like to but the domain won't resolve right now. It has only recently been registered (4 dec) to a chinaman through rustelekom. That smells bad. Rustelekom is connected to the RBN (Russia Business Network), known cyber criminals.
From: Some Guy on 8 Dec 2007 17:51 info(a)rustelekom.biz wrote: > We are not "connected to RBN" . We are "connected" to Russia. Which makes you criminals. If not now, then at some point in the near future. After all, you pretty much universally elected Master Criminal and Thug Putin as emperor for another term.
From: info on 8 Dec 2007 20:46
On Dec 9, 1:01 am, "Ant" <n...(a)home.today> wrote: > <i...(a)rustelekom.biz> (Dmtry Ivanov) wrote: > > Please be a little more safe with your's explanation. We are not > > "connected to RBN". We are "connected" to Russia. Our customer base > > mainly is Russian's and that is not strange because we are russian > > too. > > I'm sorry, that was very careless of me. When I sawrustelekom.biz > as the registration service provider for 0shares.net I associated it > with rustelecom; that is rustelecom.net who do appear to be linked in > some way to the RBN. I have no reason to suspectrustelekom.biz is > connected to the RBN. > > > We absolutely not like when someone > > just call - "all russian's is bad", "all russian's is crime" and so on > > I would never do that. Some of my best software is Russian. > > Once again, I apologise for the mistake. Hi, It's ok. No problem. We all may have mistake. I know about what you talk. Rustelecom is small ISP who provide internet access for small city in Moscow province. About week or two ago, i've just seem their name under one of the SBL listing where they was listed as "fake" provider. It's another mistake. But origin of mistake is Spamhouse, because all russian ISP (BTW all russian host-provider too) is state licensed and checked. So, there is not reason call them as "fake" provider. May be their ip's been used for sending SPAM or anything else but it is the same issue like a SPAM was sent by using MCI, Comcast. Korea or Japan ISP and should be managed by standard way without threatment of country or nationality. If we all will go by another way, then we will get at least new Cold War if not How War. If we do business in US we should follow US law, if we do business in Russia we should follow Russian legislation. If we use the internet then we should follow nettetique. Best Regards Dmitry |