monitor file activity
+ Reply to Thread
Results 1 to 11 of 11

Thread: Please Decript

  1. #1
    Join Date
    Jan 2005
    Posts
    623

    Please Decript

    Someone downloaded NetSky.Q (Wonderful little thing) and its emailing the following URL:

    mhtml:mid://000000*8/!cid:0**40*Mfdab4$*f*dL7807**870*8@57W8*fa70Re

    Can someone break down the different parts of this URL?
    [url=http://www.syntax******.info/tools/services.php]Speed Up Windows XP[/url]
    [url=http://www.syntax******.info/tools/ip.php]Get An Ip Address[/url]
    [url=http://www.syntax******.info/tools/base_converter.php]Base Converter[/url]
    --------------------------------
    [URL=http://www.boninroad.com/syntax******/]Old Site[/URL]
    [URL=http://www.syntax******.info]Comming Soon[/URL]

  2. #2
    Join Date
    Jan 2005
    Posts
    58
    That isn't a url

  3. #3
    Join Date
    Jul 2006
    Posts
    1
    Quote Originally Posted by SyntaX******
    Someone downloaded NetSky.Q (Wonderful little thing) and its emailing the following URL:

    mhtml:mid://000000*8/!cid:0**40*Mfdab4$*f*dL7807**870*8@57W8*fa70Re

    Can someone break down the different parts of this URL?

    SyntaX******:is it possible for you to email me? I have a question for you.

  4. #4
    Join Date
    Jan 2005
    Posts
    58
    That Last Link Is A Viurs!!!! It Downloades Several Viruses>>>do Not Open It Under Any Circumstances!!!!!!!!

    You Have Been Warned!

  5. #5
    Join Date
    May 2006
    Posts
    7
    Quote Originally Posted by *2*456
    That Last Link Is A Viurs!!!! It Downloades Several Viruses>>>do Not Open It Under Any Circumstances!!!!!!!!

    You Have Been Warned!
    What makes the link a virus? Are you referring to my post? Please explain.

  6. #6
    Join Date
    Jan 2005
    Posts
    58
    NetSky.P ring any bells to you? As well as other exploits it downloads.

    Take my advice do not open the link!

  7. #7
    Join Date
    May 2006
    Posts
    7
    Ok. Tested on another machine and you're right. Sorry for all the questions.

    I'm running Firefox on this machine. Makes sense that Trend wouldn't detect.

    Running a scan with Trend and still no instance. Deleted posts above just to be safe for everyone else.

    I guess what I'm looking at is the output from a spam filter that includes the email one would get. Amazing part is grinding through Google to arrive at that link.

    On the other system, Trend popped up with the detection in the Temp Internet files.
    Last edited by disregardme; 07-13-2006 at 04:18 PM.

  8. #8
    Join Date
    May 2006
    Posts
    7
    I see what the other system did.

    Trend actually detected the script written within SpamAssassin's report.

    None of the NetSky.P files were dropped on either system. Both PC's have the same build and version of Trend. Difference is the browser used.

    I'll try it with Panda later. Live and learn.

    What I linked to was a report in the xemacs.org archive.

  9. #9
    Join Date
    May 2006
    Posts
    7
    Panda saw it as a virus too. The link I posted is not the actual virus but contains lines detected by AV's as malicious code.

    I Googled the @57W8*fa70Re from SyntaX******'s post and it was the fourth link down. I did get an interesting tidbit from another link above that one.

    "In this form, the virus is in text format - this is only dangerous if the attachment region is reverted to binary form by an email server or email processing application."

    source: [url]http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=70045[/url]

  10. #10
    Join Date
    Jan 2005
    Posts
    58
    Glad to see it wasn't deliberately posted But on the other hand...you should always check out links before posting them. Your AV should also alert you to the malware downloaded from that link especially considering the Netsky virus has been out for some while. The fact that your AV did not detect it, is very worrying! You need to check your AV settings. Good research from Fortinet that!

    Another few tips, whenever you look at websites such as the one you posted, ask yourself does this look legit/safe? Never click on an unknown link. When a website displays emails and various other stuff with no layout as such, be realistic when you ask yourself what is the purpose of this website. The only reason I opened the link was because I have VMware installed on my pc.

    Jamie

  11. #11
    Join Date
    May 2006
    Posts
    7
    Yep. I never intended to cause harm.
    Trend did finally alert.
    IE6 and the new Firefox beta opened the site without any conversion attempt. AV full scan and damage cleanup detected nothing.
    The culprit for the alert was latest Avant browser. That URL brought immediate response.
    Panda did not detect with real-time scan. Only right-click and scan on the URL alerted of any problem.

    I've had enough education for the day.

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts