Guest
http://ansari1.topcities.com/
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Your English is crap, and there is no math in your crazy ranting. Youhttp://ansari1.topcities.com/
There's a virus there. VBS/Redlofhttp://ansari1.topcities.com/
http://
Darn. Another thing that's not supported on my Linux system.h_v_ansari@yahoo.com wrote:
http://ansari1.topcities.com/
There's a virus there. VBS/Redlof
This is why I have Proximtron replave VBscript with FucktardScript. It'sEeyore wrote:
h_v_ansari@yahoo.com wrote:
http://ansari1.topcities.com/
There's a virus there. VBS/Redlof
Darn. Another thing that's not supported on my Linux system.
(Proxomitron..)"Paul Hovnanian P.E." <paul@hovnanian.com> wrote in
news:44BBCFB1.6868B448@hovnanian.com:
Eeyore wrote:
h_v_ansari@yahoo.com wrote:
http://ansari1.topcities.com/
There's a virus there. VBS/Redlof
Darn. Another thing that's not supported on my Linux system.
This is why I have Proximtron replave VBscript with FucktardScript.
It's perfect for cases like this one. A look at his pages source shows
a large wodge of binary executable code. It's a deliberate attempt to
infect people's machines. It's the kind of thing that makes spam look
like the trivia it is, so if some of those who are keen to stamp out
spam in these groups were to get on the case of this thing, it might
be time well spent.
VIRUS NAME : VBS/Redlof@MThe person leasing that domain is deliberately trying to get people on
usenet (and maybe other systems) to visit his site, on which he hosts a
VisualBasic script with a large block of executable binary code designed to
infect people with a virus that several people have independently
identified as VBS/Redlof. I ignored the first time this idiot did this a
couple of weeks ago, but it shouldn't be left unchecked.
That will be the second or third report. I also filed a report earlier thisNoit that I reposted just to correct that dumb typo.I've decided
to forward that URL to the Topcites abuse section. I think they'll
want that stopped ASAP especially as this isn't the first time this
has been attempted by the same person.
Me, too. <sigh> ;-)"Paul Hovnanian P.E." <paul@hovnanian.com> wrote in
Eeyore wrote:
h_v_ansari@yahoo.com wrote:
http://ansari1.topcities.com/
There's a virus there. VBS/Redlof
Darn. Another thing that's not supported on my Linux system.
He doesn't even try to hide it!This is why I have Proximtron replave VBscript with FucktardScript. It's
perfect for cases like this one. A look at his pages source shows a large
wodge of binary executable code.
And you've looked.h_v_ansari@yahoo.com wrote:
http://ansari1.topcities.com/
Your English is crap, and there is no math in your crazy ranting. You
will go in my kill file. You are crazy.
Lostgallifreyan wrote:
The person leasing that domain is deliberately trying to get people
on usenet (and maybe other systems) to visit his site, on which he
hosts a VisualBasic script with a large block of executable binary
code designed to infect people with a virus that several people have
independently identified as VBS/Redlof. I ignored the first time this
idiot did this a couple of weeks ago, but it shouldn't be left
unchecked.
VIRUS NAME : VBS/Redlof@M
Virus Characteristics
This is a file infecting VBScript that sets a default, infected,
stationary file for the Microsoft Outlook and Outlook Express email
client programs. It exploits the Microsoft VM ActiveX Component
Vulnerability.
The script arrives in an email message, hidden from the user, or can
be present on websites that contain infected .HTM files. The virus
uses the BODY ONLOAD event to trigger the infection. .HTM, and .HTT
files on the local system are infected by appending them with the
encrypted, viral code. .HTT files are prepended with the BODY ONLOAD
trigger, while this action is placed at the beginning of the virus
body in .HTM files. The default mail account is retrieved from the
registry and a stationary file is created, "BLANK.HTM", and is set as
the default stationary file.
*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm
*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail "Wide Stationery Name=C:\Program Files\Common
Files\Microsoft Shared\Stationery\blank.htm
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet
Settings\
0a0d020000000000c000000000000046\001e0360=blank
* HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\
MailSettings\NewStationery=blank
The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS
SYSTEM directory and a registry run key is created to load the script
at startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll
This is effective due to the fact that several other registry keys are
created to re-associate .DLL files with the WSCRIPT.EXE handler.
* HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
(Default)=VBScript
* HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\
(Default)={85131631-480C-11D2-B1F9-00C04F86C324}
* HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\
(Default)=C:\WINDOWS\WScript.exe "%1" %*
* HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHandlers\
WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}
Symptoms
- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents
Method Of Infection
This worm exploits a Microsoft Internet Explorer vulnerability to
infect .HTM documents and configure email clients to include an
infected document along with each message that is sent out.
Yep, I think mike j harvey is right, it's probably not deliberate, he justOn Mon, 17 Jul 2006 18:16:06 +0000, Lostgallifreyan wrote:
"Paul Hovnanian P.E." <paul@hovnanian.com> wrote in
Eeyore wrote:
h_v_ansari@yahoo.com wrote:
http://ansari1.topcities.com/
There's a virus there. VBS/Redlof
Darn. Another thing that's not supported on my Linux system.
Me, too. <sigh> ;-)
This is why I have Proximtron replave VBscript with FucktardScript.
It's perfect for cases like this one. A look at his pages source
shows a large wodge of binary executable code.
He doesn't even try to hide it!
-----<quote>-----
script language="vbscript"
ExeString =
"<bunch of binary crap>...
-----</quote>-----
Cheers!
Rich
I didn't actually mean to imply ***anything at all*** about whether hisYep, I think mike j harvey is right, it's probably not deliberate, he just
got infected.
Yes. Graham (Eeyore) posted that to bring attention to the earlier thread.Lostgallifreyan wrote:
Yep, I think mike j harvey is right, it's probably not deliberate, he
just got infected.
I didn't actually mean to imply ***anything at all*** about whether
his site was knowingly infected by him or not. I merely
copied-and-pasted the description of this virus from a website namely
http://www.virus-scan-software.com/latest-virus-software/latest-viruses
/vbsredlof-m.shtml
He seems so crazy that it seems feasible that he knows nothing about
the virus, although if you go to Google Groups and look at "messages
by this author" you'll see that until very recently he was using
Geocities for his crazy pages. The address (now unavailable) was:-
http://www.geocities.com/hamid_vasigh_ansari
Maybe ansari don't have a clue regarding viruses.Yes. Graham (Eeyore) posted that to bring attention to the earlier thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.
Clueless webbhotel?I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.
If the country won't handle abuse properly, there's always the option toGraham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.
CAUTION!Yes. Graham (Eeyore) posted that to bring attention to the earlier
thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has
been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.
Maybe ansari don't have a clue regarding viruses.
I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.
Clueless webbhotel?
Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.
If the country won't handle abuse properly, there's always the option to
promote netblocking of it.
Nothing here but I'm sure news needs an attachment to carry a virus.pbdelete@spamnuke.ludd.luthdelete.se.invalid> wrote in message
news:44bc8abf$0$489$cc7c7865@news.luth.se...
Yes. Graham (Eeyore) posted that to bring attention to the earlier
thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has
been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.
Maybe ansari don't have a clue regarding viruses.
I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.
Clueless webbhotel?
Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.
If the country won't handle abuse properly, there's always the option to
promote netblocking of it.
CAUTION!
Can anyone check my reply is clean?
AVG seems to be struggling a bit with this one!!!
AVG updated earlier today - when I scanned after the warning about theian field wrote:
pbdelete@spamnuke.ludd.luthdelete.se.invalid> wrote in message
news:44bc8abf$0$489$cc7c7865@news.luth.se...
Yes. Graham (Eeyore) posted that to bring attention to the earlier
thread.
Also, I think that Topcities is a very small operation, not at all to
be
confused with Geocities, the original host. So, as the page itself has
been
migrated to more than one host, virus intact, I think we can assume
that
the attempt to spread the virus is very deliberate. Geocities have
taken
down the original, and no doubt told 'ansari' why they did so, and
again,
this person is trying to infect people.
Maybe ansari don't have a clue regarding viruses.
I posted word to the guy who registered the Topcities domain, but
haven't
heard word back, nor is that page offline yet.
Clueless webbhotel?
Graham posted in the earlier thread today, and his post shows stuff
that
places 'ansari' in Iran, so there no chance of getting any kind of
action
there, they have bigger problems. So we'll just have to get to his
hosting
base each time.
If the country won't handle abuse properly, there's always the option
to
promote netblocking of it.
CAUTION!
Can anyone check my reply is clean?
AVG seems to be struggling a bit with this one!!!
Nothing here but I'm sure news needs an attachment to carry a virus.
If your AVG was up to date you were fine.
Graham