It is okay to post http://... here because we know what we are doing and they aren't hot links. But something like this:
http://antispamfilterblocker.com/2009/03/page/6/hxxp://claitors.com/gifs/novo.php
IS HOT (I prepended a "hxxp://" to set a good example). It will give people a VisualBasic Trojan mini-downloader. So please educate people to replace the "http://" with "hxxp://" or prepend a "hxxp://" to hosts with the just the host name to deaden the link if the links are hot. I guess it could have been worse in the past but:
http://www.virustotal.com/analisis/7aa53fc0837d918b14f2bddc0d6aa92fIf I had Authentium, ClamAV, eSafe, F-Prot, or Rising I would still be in trouble! The embedded host is
www.agrimat.com.br. I don't know the rest of the URL. It responds to an ICMP ping but there seems to be no index.html, at least on port 80. You will have to disect the file to see what it does with that partial URL:
www.agrimat.com.brwindir
\system32\1046\lsass.exe
/image/barra5.jpg
\system32\1046\spoolsv.exe
/image/barra3.jpg
\system32\1046\ab.exe
/image/barra4.jpg
It is still downloadable - name NovoDocumento1.exe. Long time for me not writing. Hope to be back soon with goodies. But beware of Greeks bearing gifts. Some girls compared me with the Greek God Apollo when I was younger. I feel more like Sisyphus now ...
Topic: education (Read 3962 times)
