Hi All, To detect if your customers/employees are infected, check the HTTP useragent string in your web logs and proxy logs for the following new tokens that this thing adds to a machines existing useragent string
AntivirXP08 3P_UVRM 3P_UASE 3P_PCPC 3P_UPCPC 3P_UAMG Example: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08) One problem is that some AV engines clean the machine but do not remove these tokens so you could have some false positives of whether a machine is still infected. However you can definitly infer that the machine was infected at somepoint. Thanks Ashish Desai Internet Channel Security Fidelity Investments -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Wednesday, August 27, 2008 7:54 PM To: botnets@whitestar.linuxbox.org Subject: [botnets] fake AV (malicious) sites To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- bestantivirus2009 com iframe with exploits: huytegygle com/index.php <--script huytegygle com/bin/ file.exe This information is from: http://sunbeltblog.blogspot.com/2008/08/xp-antivirus-2008-now-with-sploi ts.html Lots of Fake AV sites. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets