[Dshield] Possible Virus......??

James Jarvis james.jarvis at quest-media.com
Mon Mar 18 16:22:43 GMT 2002


PS...  Are you the James Jarvis of AMUS fame?

- I guess not - Who's that then?

-----Original Message-----
From: Tom Geairn [mailto:tgeairn at newviewconsulting.com]
Sent: 18 March 2002 15:49
To: list at dshield.org
Subject: RE: [Dshield] Possible Virus......??


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For things like this I have found that a safe browser utility (such
as http://www.samspade.org/t/) is a great way to see what is on a
site "safely".  

Browsing to www.calling.net in this manner shows a mostly normal
website, in some foreign language.  The download is *probably* a
foreign font.  The page specifies the charset as "big5" which is
Chinese Traditional.
- -Tom

PS...  Are you the James Jarvis of AMUS fame?


- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
Behalf Of James Jarvis
Sent: Monday, March 18, 2002 9:08 AM
To: 'list at dshield.org'
Subject: RE: [Dshield] Possible Virus......??

Hi, 

I just asked the person that had it and they deleted it so I can't
get hold
of the source again. I had a look earlier, and it was code sending
you to a
website. If you goto http://www.callin.net it will commence the
download of
something. If anyone has a machine that they use to test stuff on and
is not
going to affect a network atc. just go there and see what happens!

- -----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: 18 March 2002 14:43
To: list at dshield.org
Subject: Re: [Dshield] Possible Virus......??


If you have the html source, look for something like:

[meta HTTP-EQUIV="REFRESH" CONTENT="5; URL=../index.html"]

This tag automatically redirects the viewer to whatever url is after
"URL= " after the number of seconds in "CONTENT= "

This is *one* method of sending you off to an unknown web site,
merely
by viewing an html-formatted email..


- - John
- -- 
Most people don't type their own logfiles;  but, what do I care?


 
On Mon, Mar 18, 2002 at 10:37:17AM -0000, James Jarvis wrote:
> Hi there,
> 
> One of my colleagues received an email from test at test.com.tw when
> the 
email
> was opened it launhed a web-site and commenced downloading a file -
> It didn't display the name of the file, and the download was
> cancelled before it was able to continue. I checked the source of
> the email (It was in 
HTML)
> and it pointed to a site called callin.net. The remainder of the
> email was all in stragnge random characters, and there was a type
> of form at the 
base
> of the email.
> 
> I ran a virus scan on the computer (McCafee) and it didn't find
> anything unusual. Does anyone have any thoughts? It may be
> completely harmless, but 
I
> am not a fan of executable emails. Was thinking of sending the URL
> to McCaffee suport, for them to investigate.
> 
> Thanks,
> James

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPJYMb8kak2XDABkdEQLXcQCgr2LBcv9tLF4qcS9Z4EMGBUyegWQAnRn0
w6QdGt7zQWi2Xqeevgu7GtUG
=PUlO
-----END PGP SIGNATURE-----

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list