Hi All,
To detect if your customers/employees are infected,
check the HTTP useragent string in your web logs and proxy logs
for the following new tokens that this thing adds to a machines existing
useragent string
AntivirXP08
3P_UVRM
3P_UASE
3P_PCPC
3P_UPCPC
3P_UAMG
Example:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08)
One problem is that some AV engines clean the machine but do not remove
these tokens so you could have
some false positives of whether a machine is still infected. However you
can definitly infer that the
machine was infected at somepoint.
Thanks
Ashish Desai
Internet Channel Security
Fidelity Investments
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron
Sent: Wednesday, August 27, 2008 7:54 PM
To: botnets@whitestar.linuxbox.org
Subject: [botnets] fake AV (malicious) sites
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
bestantivirus2009 com
iframe with exploits: huytegygle com/index.php <--script
huytegygle com/bin/ file.exe
This information is from:
http://sunbeltblog.blogspot.com/2008/08/xp-antivirus-2008-now-with-sploi
ts.html
Lots of Fake AV sites.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law
enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
_______________________________________________
botnets@, the public's dumping ground for maliciousness
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
