http://ansari1.topcities.com/

wrote:
http://ansari1.topcities.com/

Your English is crap, and there is no math in your crazy ranting. You
will go in my kill file. You are crazy.

wrote:

http://ansari1.topcities.com/

There's a virus there. VBS/Redlof

Graham

wrote:

http://


You'll have to come back next year, since we've already bagged our
limit on idiots for this year.


--
Service to my country? Been there, Done that, and I've got my DD214 to
prove it.
Member of DAV #85.

Michael A. Terrell
Central Florida

Eeyore wrote:

wrote:

http://ansari1.topcities.com/

There's a virus there. VBS/Redlof

Darn. Another thing that's not supported on my Linux system.

--
Paul Hovnanian
------------------------------------------------------------------
All those who believe in psychokinesis raise my hand.

"Paul Hovnanian P.E." wrote in
:

Eeyore wrote:

wrote:

http://ansari1.topcities.com/

There's a virus there. VBS/Redlof

Darn. Another thing that's not supported on my Linux system.


This is why I have Proximtron replave VBscript with ****tardScript. It's
perfect for cases like this one. A look at his pages source shows a large
wodge of binary executable code. It's a deliberate attempt to infect
people's machines. It's the kind of thing that makes spam look like the
trivia it is, so if some of those who are keen to stamp out spam in these
groups were to get on the case of this thing, it might be time well spent.

Lostgallifreyan wrote in
:

"Paul Hovnanian P.E." wrote in
:

Eeyore wrote:

wrote:

http://ansari1.topcities.com/

There's a virus there. VBS/Redlof

Darn. Another thing that's not supported on my Linux system.


This is why I have Proximtron replave VBscript with ****tardScript.
It's perfect for cases like this one. A look at his pages source shows
a large wodge of binary executable code. It's a deliberate attempt to
infect people's machines. It's the kind of thing that makes spam look
like the trivia it is, so if some of those who are keen to stamp out
spam in these groups were to get on the case of this thing, it might
be time well spent.


(Proxomitron..)

Noit that I reposted just to correct that dumb typo. I've decided to
forward that URL to the Topcites abuse section. I think they'll want that
stopped ASAP especially as this isn't the first time this has been
attempted by the same person.

Hmmm.. It's not exactly a Geocities clone The 'abuse section' might well
be one guy Kenny Jou ), according to a DirectNIC
whois test of topcities.com.

I sent him the following message:


[BEGIN]
"Abuse of Topcities hosting. Deliberate viral infector."

http://ansari1.topcities.com/

Please NUKE this guy's account and do usenet a favour!

The person leasing that domain is deliberately trying to get people on
usenet (and maybe other systems) to visit his site, on which he hosts a
VisualBasic script with a large block of executable binary code designed to
infect people with a virus that several people have independently
identified as VBS/Redlof. I ignored the first time this idiot did this a
couple of weeks ago, but it shouldn't be left unchecked.

Please nuke his account, I don't think there's any need to ask him nicely
or to give him a chance to change the script, he probably had to work to
put it there.
[END]

If anyone can do better than this and is feeling petulant and with time to
spare, have at it.

Lostgallifreyan wrote:

The person leasing that domain is deliberately trying to get people on
usenet (and maybe other systems) to visit his site, on which he hosts a
VisualBasic script with a large block of executable binary code designed to
infect people with a virus that several people have independently
identified as VBS/Redlof. I ignored the first time this idiot did this a
couple of weeks ago, but it shouldn't be left unchecked.


VIRUS NAME : VBS/Redlof@M

Virus Characteristics

This is a file infecting VBScript that sets a default, infected,
stationary file for the Microsoft Outlook and Outlook Express email
client programs. It exploits the Microsoft VM ActiveX Component
Vulnerability.

The script arrives in an email message, hidden from the user, or can be
present on websites that contain infected .HTM files. The virus uses
the BODY ONLOAD event to trigger the infection. .HTM, and .HTT files on
the local system are infected by appending them with the encrypted,
viral code. .HTT files are prepended with the BODY ONLOAD trigger,
while this action is placed at the beginning of the virus body in .HTM
files. The default mail account is retrieved from the registry and a
stationary file is created, "BLANK.HTM", and is set as the default
stationary file.

*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm
*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail "Wide Stationery Name=C:\Program Files\Common
Files\Microsoft Shared\Stationery\blank.htm
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet
Settings\
0a0d020000000000c000000000000046\001e0360=blank
* HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\C ommon\
MailSettings\NewStationery=blank

The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS
SYSTEM directory and a registry run key is created to load the script
at startup:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll

This is effective due to the fact that several other registry keys are
created to re-associate .DLL files with the WSCRIPT.EXE handler.

* HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
(Default)=VBScript
* HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\
(Default)={85131631-480C-11D2-B1F9-00C04F86C324}
* HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\
(Default)=C:\WINDOWS\WScript.exe "%1" %*
* HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHan dlers\
WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}


Symptoms

- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents



Method Of Infection

This worm exploits a Microsoft Internet Explorer vulnerability to
infect .HTM documents and configure email clients to include an
infected document along with each message that is sent out.

Lostgallifreyan wrote:

Noit that I reposted just to correct that dumb typo. I've decided
to forward that URL to the Topcites abuse section. I think they'll
want that stopped ASAP especially as this isn't the first time this
has been attempted by the same person.

That will be the second or third report. I also filed a report earlier this
morning when it first appeared.

Regards,

Mike Monett

Antiviral Antibacterial Silver Solution:
http://silversol.freewebpage.org/index.htm
SPICE Analysis of Crystal Oscillators:
http://silversol.freewebpage.org/spice/xtal/clapp.htm
Noise-Rejecting Wideband Sampler:
http://www3.sympatico.ca/add.automat...pler/intro.htm

On Mon, 17 Jul 2006 18:16:06 +0000, Lostgallifreyan wrote:
"Paul Hovnanian P.E." wrote in
Eeyore wrote:
wrote:

http://ansari1.topcities.com/

There's a virus there. VBS/Redlof

Darn. Another thing that's not supported on my Linux system.

Me, too. sigh ;-)

This is why I have Proximtron replave VBscript with ****tardScript. It's
perfect for cases like this one. A look at his pages source shows a large
wodge of binary executable code.

He doesn't even try to hide it!
-----quote-----
script language="vbscript"
ExeString =
"bunch of binary crap...
-----/quote-----

Cheers!
Rich

On Mon, 17 Jul 2006 09:44:43 -0700, mike.j.harvey wrote:


wrote:
http://ansari1.topcities.com/

Your English is crap, and there is no math in your crazy ranting. You
will go in my kill file. You are crazy.

And you've looked.


Better run your virus scanner!

Good Luck!
Rich

wrote in
oups.com:


Lostgallifreyan wrote:

The person leasing that domain is deliberately trying to get people
on usenet (and maybe other systems) to visit his site, on which he
hosts a VisualBasic script with a large block of executable binary
code designed to infect people with a virus that several people have
independently identified as VBS/Redlof. I ignored the first time this
idiot did this a couple of weeks ago, but it shouldn't be left
unchecked.


VIRUS NAME : VBS/Redlof@M

Virus Characteristics

This is a file infecting VBScript that sets a default, infected,
stationary file for the Microsoft Outlook and Outlook Express email
client programs. It exploits the Microsoft VM ActiveX Component
Vulnerability.

The script arrives in an email message, hidden from the user, or can
be present on websites that contain infected .HTM files. The virus
uses the BODY ONLOAD event to trigger the infection. .HTM, and .HTT
files on the local system are infected by appending them with the
encrypted, viral code. .HTT files are prepended with the BODY ONLOAD
trigger, while this action is placed at the beginning of the virus
body in .HTM files. The default mail account is retrieved from the
registry and a stationary file is created, "BLANK.HTM", and is set as
the default stationary file.

*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm
*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail "Wide Stationery Name=C:\Program Files\Common
Files\Microsoft Shared\Stationery\blank.htm
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet
Settings\
0a0d020000000000c000000000000046\001e0360=blank
* HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\C ommon\
MailSettings\NewStationery=blank

The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS
SYSTEM directory and a registry run key is created to load the script
at startup:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll

This is effective due to the fact that several other registry keys are
created to re-associate .DLL files with the WSCRIPT.EXE handler.

* HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
(Default)=VBScript
* HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\
(Default)={85131631-480C-11D2-B1F9-00C04F86C324}
* HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\
(Default)=C:\WINDOWS\WScript.exe "%1" %*
* HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHan dlers\
WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}


Symptoms

- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents



Method Of Infection

This worm exploits a Microsoft Internet Explorer vulnerability to
infect .HTM documents and configure email clients to include an
infected document along with each message that is sent out.




So you're saying it maybe isn't deliberate? Ok, but that guy was told last
time, and has done nothing to secure his system, and everything to try to
get people to click his infected page. How far should people be protected
from their own folly? This time others need protection from him.

Rich Grise wrote in
news
On Mon, 17 Jul 2006 18:16:06 +0000, Lostgallifreyan wrote:
"Paul Hovnanian P.E." wrote in
Eeyore wrote:
wrote:

http://ansari1.topcities.com/

There's a virus there. VBS/Redlof

Darn. Another thing that's not supported on my Linux system.

Me, too. sigh ;-)

This is why I have Proximtron replave VBscript with ****tardScript.
It's perfect for cases like this one. A look at his pages source
shows a large wodge of binary executable code.

He doesn't even try to hide it!
-----quote-----
script language="vbscript"
ExeString =
"bunch of binary crap...
-----/quote-----

Cheers!
Rich



Yep, I think mike j harvey is right, it's probably not deliberate, he just
got infected. Even so, he's been told before, has done nothing except
repost attempts to get people to visit the infected page, so he needs to be
stopped cos he can't help himself. Mike Monett has the right idea. I
think if there are more reports, someone will stop it at source.

Lostgallifreyan wrote:

Yep, I think mike j harvey is right, it's probably not deliberate, he just
got infected.

I didn't actually mean to imply ***anything at all*** about whether his
site was knowingly infected by him or not. I merely copied-and-pasted
the description of this virus from a website namely

http://www.virus-scan-software.com/l...redlof-m.shtml

He seems so crazy that it seems feasible that he knows nothing about
the virus, although if you go to Google Groups and look at "messages by
this author" you'll see that until very recently he was using Geocities
for his crazy pages. The address (now unavailable) was:-

http://www.geocities.com/hamid_vasigh_ansari

wrote in
ups.com:


Lostgallifreyan wrote:

Yep, I think mike j harvey is right, it's probably not deliberate, he
just got infected.

I didn't actually mean to imply ***anything at all*** about whether
his site was knowingly infected by him or not. I merely
copied-and-pasted the description of this virus from a website namely

http://www.virus-scan-software.com/l...latest-viruses
/vbsredlof-m.shtml

He seems so crazy that it seems feasible that he knows nothing about
the virus, although if you go to Google Groups and look at "messages
by this author" you'll see that until very recently he was using
Geocities for his crazy pages. The address (now unavailable) was:-

http://www.geocities.com/hamid_vasigh_ansari



Yes. Graham (Eeyore) posted that to bring attention to the earlier thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.

I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.

Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.

Yes. Graham (Eeyore) posted that to bring attention to the earlier thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.

Maybe ansari don't have a clue regarding viruses.

I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.

Clueless webbhotel?

Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.

If the country won't handle abuse properly, there's always the option to
promote netblocking of it.

wrote in message
...
Yes. Graham (Eeyore) posted that to bring attention to the earlier
thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has
been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.

Maybe ansari don't have a clue regarding viruses.

I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.

Clueless webbhotel?

Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.

If the country won't handle abuse properly, there's always the option to
promote netblocking of it.


CAUTION!

Can anyone check my reply is clean?

AVG seems to be struggling a bit with this one!!!

ian field wrote:

wrote in message
...
Yes. Graham (Eeyore) posted that to bring attention to the earlier
thread.
Also, I think that Topcities is a very small operation, not at all to be
confused with Geocities, the original host. So, as the page itself has
been
migrated to more than one host, virus intact, I think we can assume that
the attempt to spread the virus is very deliberate. Geocities have taken
down the original, and no doubt told 'ansari' why they did so, and again,
this person is trying to infect people.

Maybe ansari don't have a clue regarding viruses.

I posted word to the guy who registered the Topcities domain, but haven't
heard word back, nor is that page offline yet.

Clueless webbhotel?

Graham posted in the earlier thread today, and his post shows stuff that
places 'ansari' in Iran, so there no chance of getting any kind of action
there, they have bigger problems. So we'll just have to get to his hosting
base each time.

If the country won't handle abuse properly, there's always the option to
promote netblocking of it.


CAUTION!

Can anyone check my reply is clean?

AVG seems to be struggling a bit with this one!!!

Nothing here but I'm sure news needs an attachment to carry a virus.

If your AVG was up to date you were fine.

Graham

"Eeyore" wrote in
message ...


ian field wrote:

wrote in message
...
Yes. Graham (Eeyore) posted that to bring attention to the earlier
thread.
Also, I think that Topcities is a very small operation, not at all to
be
confused with Geocities, the original host. So, as the page itself has
been
migrated to more than one host, virus intact, I think we can assume
that
the attempt to spread the virus is very deliberate. Geocities have
taken
down the original, and no doubt told 'ansari' why they did so, and
again,
this person is trying to infect people.

Maybe ansari don't have a clue regarding viruses.

I posted word to the guy who registered the Topcities domain, but
haven't
heard word back, nor is that page offline yet.

Clueless webbhotel?

Graham posted in the earlier thread today, and his post shows stuff
that
places 'ansari' in Iran, so there no chance of getting any kind of
action
there, they have bigger problems. So we'll just have to get to his
hosting
base each time.

If the country won't handle abuse properly, there's always the option
to
promote netblocking of it.


CAUTION!

Can anyone check my reply is clean?

AVG seems to be struggling a bit with this one!!!

Nothing here but I'm sure news needs an attachment to carry a virus.

If your AVG was up to date you were fine.

Graham



AVG updated earlier today - when I scanned after the warning about the
infected link it found the VB virus but halted with an error when I clicked
"heal", and when I clicked "move to virus vault" the PC appeared to lock up!
However the lock up may have been the NiMh's in the wireless mouse giving
out at the most inconvenient time possible!! The scan I've just done reports
clean (fingers crossed!).

Thanks for checking by.

ian field wrote:

"Eeyore" wrote in
message ...


If your AVG was up to date you were fine.

Graham


AVG updated earlier today - when I scanned after the warning about the
infected link it found the VB virus but halted with an error when I clicked
"heal", and when I clicked "move to virus vault" the PC appeared to lock up!
However the lock up may have been the NiMh's in the wireless mouse giving
out at the most inconvenient time possible!! The scan I've just done reports
clean (fingers crossed!).

It didn't find the virus when the page loaded ? It did take a while btw. As long
as it needed to download I suppose.

Sounds like you're fine though.

Graham

Lostgallifreyan wrote:

Hmmm.. It's not exactly a Geocities clone The 'abuse section' might
well
be one guy Kenny Jou ), according to a DirectNIC
whois test of topcities.com.

I sent him the following message:


[BEGIN]
"Abuse of Topcities hosting. Deliberate viral infector."

http://ansari1.topcities.com/

Please NUKE this guy's account and do usenet a favour!

The person leasing that domain is deliberately trying to get people on
usenet (and maybe other systems) to visit his site, on which he hosts a
VisualBasic script with a large block of executable binary code designed
to
infect people with a virus that several people have independently
identified as VBS/Redlof. I ignored the first time this idiot did this a
couple of weeks ago, but it shouldn't be left unchecked.

Please nuke his account, I don't think there's any need to ask him nicely
or to give him a chance to change the script, he probably had to work to
put it there.
[END]

If anyone can do better than this and is feeling petulant and with time to
spare, have at it.

And yet you did not CC the FBI, DHS, or any other law enforcement
organization?

--
JosephKK
Gegen dummheit kampfen die Gotter Selbst, vergebens.Â*Â*
--Schiller