Colleagues, Following on from Simon's information I thought that the article at http://newsletter.itpro.co.uk/c/1E3jXA3MZt1jPm5wN was an interesting of the scale and nature of this problem.
Tom. >>> "Desai, Ashish" <[EMAIL PROTECTED]> 08/28/08 3:00 PM >>> Hi All, To detect if your customers/employees are infected, check the HTTP useragent string in your web logs and proxy logs for the following new tokens that this thing adds to a machines existing useragent string AntivirXP08 3P_UVRM 3P_UASE 3P_PCPC 3P_UPCPC 3P_UAMG Example: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08) One problem is that some AV engines clean the machine but do not remove these tokens so you could have some false positives of whether a machine is still infected. However you can definitly infer that the machine was infected at somepoint. Thanks Ashish Desai Internet Channel Security Fidelity Investments ----- Original Message----- From: botnets- [EMAIL PROTECTED] [mailto:botnets- [EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Wednesday, August 27, 2008 7:54 PM To: botnets@whitestar.linuxbox.org Subject: [botnets] fake AV (malicious) sites To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- bestantivirus2009 com iframe with exploits: huytegygle com/index.php <-- script huytegygle com/bin/ file.exe This information is from: http://sunbeltblog.blogspot.com/2008/08/xp- antivirus- 2008- now- with- sploi ts.html Lots of Fake AV sites. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets The University of Dundee is a registered Scottish charity, No: SC015096 _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets