PDA

View Full Version : Please Decript



SyntaXmasteR
07-01-2005, 11:12 AM
Someone downloaded NetSky.Q (Wonderful little thing) and its emailing the following URL:

mhtml:mid://000000*8/!cid:0**40*Mfdab4$*f*dL7807**870*8@57W8*fa70Re

Can someone break down the different parts of this URL?

123456
07-06-2006, 04:53 PM
That isn't a url :confused:

sexy31533
07-13-2006, 02:14 PM
Someone downloaded NetSky.Q (Wonderful little thing) and its emailing the following URL:

mhtml:mid://000000*8/!cid:0**40*Mfdab4$*f*dL7807**870*8@57W8*fa70Re

Can someone break down the different parts of this URL?


SyntaX******:is it possible for you to email me? I have a question for you.

123456
07-13-2006, 02:41 PM
That Last Link Is A Viurs!!!! It Downloades Several Viruses>>>do Not Open It Under Any Circumstances!!!!!!!!

You Have Been Warned!

disregardme
07-13-2006, 02:55 PM
That Last Link Is A Viurs!!!! It Downloades Several Viruses>>>do Not Open It Under Any Circumstances!!!!!!!!

You Have Been Warned!

What makes the link a virus? Are you referring to my post? Please explain.

123456
07-13-2006, 03:13 PM
NetSky.P ring any bells to you? As well as other exploits it downloads.

Take my advice do not open the link!

disregardme
07-13-2006, 03:54 PM
Ok. Tested on another machine and you're right. Sorry for all the questions.

I'm running Firefox on this machine. Makes sense that Trend wouldn't detect.

Running a scan with Trend and still no instance. Deleted posts above just to be safe for everyone else.

I guess what I'm looking at is the output from a spam filter that includes the email one would get. Amazing part is grinding through Google to arrive at that link.

On the other system, Trend popped up with the detection in the Temp Internet files.

disregardme
07-13-2006, 04:49 PM
I see what the other system did.

Trend actually detected the script written within SpamAssassin's report.

None of the NetSky.P files were dropped on either system. Both PC's have the same build and version of Trend. Difference is the browser used.

I'll try it with Panda later. Live and learn.

What I linked to was a report in the xemacs.org archive.

disregardme
07-13-2006, 05:38 PM
Panda saw it as a virus too. The link I posted is not the actual virus but contains lines detected by AV's as malicious code.

I Googled the @57W8*fa70Re from SyntaX******'s post and it was the fourth link down. I did get an interesting tidbit from another link above that one.

"In this form, the virus is in text format - this is only dangerous if the attachment region is reverted to binary form by an email server or email processing application."

source: http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=70045

123456
07-13-2006, 06:11 PM
Glad to see it wasn't deliberately posted :) But on the other hand...you should always check out links before posting them. Your AV should also alert you to the malware downloaded from that link especially considering the Netsky virus has been out for some while. The fact that your AV did not detect it, is very worrying! You need to check your AV settings. Good research from Fortinet that! ;)

Another few tips, whenever you look at websites such as the one you posted, ask yourself does this look legit/safe? Never click on an unknown link. When a website displays emails and various other stuff with no layout as such, be realistic when you ask yourself what is the purpose of this website. The only reason I opened the link was because I have VMware installed on my pc.

Jamie

disregardme
07-13-2006, 07:35 PM
Yep. I never intended to cause harm.
Trend did finally alert.
IE6 and the new Firefox beta opened the site without any conversion attempt. AV full scan and damage cleanup detected nothing.
The culprit for the alert was latest Avant browser. That URL brought immediate response.
Panda did not detect with real-time scan. Only right-click and scan on the URL alerted of any problem.

I've had enough education for the day. ;)