[Dshield] Is this site a wmf attack?

ptds@majordomo.thedacare.org ptds at majordomo.thedacare.org
Thu Feb 23 05:17:56 GMT 2006



On Wed, 22 Feb 2006, Wes S wrote:

> I was looking for reviews on the palm T|X via google and when I 
> clicked on this site, my virus scanner (etrust) got uppity about a 
> virus exploit.  The site seems to be trying to send me a wmf file.
> 
> I rot13'd the link:
> 
> uggc://jjj.onetnvacqn.pbz/qrsnhyg.nfc?arjfVQ=2691
> 
> 
As a matter of fact, it does.  When the site is searched from google some 
javascript black magic occurs and junk is downloaded from the wmf file at 

uggc://jro.163.fu.pa/~junyrkvat/jjj.jzs

and the strings inside that file point to 

uggc://jro.163.fu.pa/~junyrkvat/freire.rkr
 
which is

[Trojan.Win32.Crypt.k]

I complained to the quality feedback on google as I understand that they 
frown upon sites that give different content if the referrer is google 
than if it is not, and virus turds are certainly different content.

There seem to be a lot of these popping up lately. 
Yours is chinese, here is a russian one:

uggc://vaqvna-bayvar.sgcubfg.arg/va.wf




More information about the list mailing list