DATE:	<<	>>		THREAD:	<<	>>		INDEX:	Main	Thread

Re: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..

Date : Tue, 12 Feb 2008 02:47:27 -0800

To : XSI(at)Softimage.COM

From : "Alan Fregtman" <alan.fregtman(at)gmail.com>

Subject : Re: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..

As I said on the initial email, it's an antivirus called "NOD32". In
my experience, I haven't had any false positives with it yet.

The mystery site apparently tried to make me download an .exe, then in
case that didn't work, attempted to load a malicious piece of Java
from a second domain, coripastares.com. I have a funky feeling if I
had been on IE, it'd probably execute it.

The .jar, I presume, would install nasty things on the host machine.

Here's an online virus scan that works with urls:
http://online.drweb.com/
Go there and paste this url: http://coripastares.com/ms03011.jar
(and please be careful not to run this link accidentaly)
It says:
In file >ms03011.jar/MagicApplet.class found virus VBS.Siggen.1989
In file >ms03011.jar/OwnClassLoader.class found virus Exploit.ByteVerify
In file >ms03011.jar/ProxyClassLoader.class found virus Exploit.ByteVerify
In file >ms03011.jar/Installer.class found virus VBS.Siggen.5970

Alternatively, you are welcome to download the file yourself and run
it through multiple antiviruses:
http://virusscan.jotti.org/ (scans using multiple engines. pretty neat.)
http://www.kaspersky.com/scanforvirus (Kaspersky rarely, if ever, has
false positives.)

Cheers,

   -- Alan

On Feb 12, 2008 2:03 AM, kim aldis <xsi(at)kim-aldis.co.uk> wrote:
> Yup, you're right. Something had found its way into the site's main template
> file. I'm not sure if it's always been there or if it's been hacked, the
> template page was a copy of a Joomla template.
>
> I can't find any reference to this site using google. Browsing to the link
> using a virtual machine browser redirects immediately to google.
>
> My virus checker didn't pick up on it, which one do you use?
>
>
>
> > -----Original Message-----
> > From: owner-xsi(at)Softimage.COM [mailto:owner-xsi(at)Softimage.COM] On
> > Behalf Of kim aldis
> > Sent: 12 February 2008 09:49
> > To: XSI(at)Softimage.COM
> > Subject: RE: [OT] Hey Kim, is your site hijacked to load virus? Please
> > confirm..
> >
> > Thanks Alan, just checking it out now.
> >
> >
>
>
> ---
>
> Unsubscribe? Mail Majordomo(at)Softimage.COM with the following text in body:
> unsubscribe xsi
>
---
Unsubscribe? Mail Majordomo(at)Softimage.COM with the following text in body:
unsubscribe xsi

Follow-Ups:
- Re: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
  - From: "Alan Fregtman" <alan.fregtman(at)gmail.com>

References:
- [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
  - From: "Alan Fregtman" <alan.fregtman(at)gmail.com>
- RE: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
  - From: "kim aldis" <xsi(at)kim-aldis.co.uk>
- RE: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
  - From: "kim aldis" <xsi(at)kim-aldis.co.uk>

DATE:	<<	>>		THREAD:	<<	>>		INDEX:	Main	Thread

Previous by Date: Re: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
Next by Date: Re: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
Previous by Thread: Re: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
Next by Thread: Re: [OT] Hey Kim, is your site hijacked to load virus? Please confirm..
Index(es):
- Main
- Thread

Search the XSI List archives here or use the advanced search form to search across mailing lists. Searching help is available.