suspicious site

how do you check out something like this?

volny.cz/svhgjtt/dental-plan.html

From: "Rick Merrill" <rick0.merrill@NOSPAM.gmail.com>

| how do you check out something like this?
|
| volny.cz/svhgjtt/dental-plan.html

It is a malware related web site that uses VBS/Psyme to download a Renos trojan and a
ByteVerify exploit to install a rogue anti malware utility called Spy-Shredder.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:
> From: "Rick Merrill" <rick0.merrill@NOSPAM.gmail.com>
>
> | how do you check out something like this?
> |
> | volny.cz/svhgjtt/dental-plan.html
>
> It is a malware related web site that uses VBS/Psyme to download a Renos trojan and a
> ByteVerify exploit to install a rogue anti malware utility called Spy-Shredder.
>
>

I didn't know about 'byteverify' but it appears to be a highjacked site,
but 'from whom' it was highjacked i couldn't tell. Is the whole 'cz'
domain not to be trusted?

From: "Rick Merrill" <rick0.merrill@NOSPAM.gmail.com>


| I didn't know about 'byteverify' but it appears to be a highjacked site,
| but 'from whom' it was highjacked i couldn't tell. Is the whole 'cz'
| domain not to be trusted?

The ByteVerify is a Java exploit.

Example McAfee log...
5/5/2007 6:58:39 PM Deleted (Clean failed) DLIPMAN-1\lipman
D:\temp\jar_cache30809.tmp\JAR_CACHE30809.TMP Exploit-ByteVerify

It is NOT a hijacked site. It is purposefully malicious.
I can not state that all .CZ (Czech Republic) Domains can not be trusted.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:


> D:\temp\jar_cache30809.tmp\JAR_CACHE30809.TMP Exploit-ByteVerify
>
> It is NOT a hijacked site. It is purposefully malicious.
> I can not state that all .CZ (Czech Republic) Domains can not be trusted.

But what we can tell for sure is that the owner is horribly stupid. The Byte
Verifier vulnerability was, well, Java JDK 1.1? Even the similiar-to-Java-
but-not-actually-Java-VM that Microsoft shipped with Windows 2000 and XP was
already at JDK 1.2 level, not vulnerable to this thing.

I still wonder how this thing is still in usage, even though the most stupid
bad guy would recognize an infection rate of essentially zero.

From: "Sebastian G." <seppi@seppig.de>


|
| But what we can tell for sure is that the owner is horribly stupid. The Byte
| Verifier vulnerability was, well, Java JDK 1.1? Even the similiar-to-Java-
| but-not-actually-Java-VM that Microsoft shipped with Windows 2000 and XP was
| already at JDK 1.2 level, not vulnerable to this thing.
|
| I still wonder how this thing is still in usage, even though the most stupid
| bad guy would recognize an infection rate of essentially zero.

Exploit-ByteVerify is rather generic. Many newer versions of Sun Java were also vulnerable.
There have been many variants to ByteVerify and they seem to increase.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:


> | But what we can tell for sure is that the owner is horribly stupid. The Byte
> | Verifier vulnerability was, well, Java JDK 1.1? Even the similiar-to-Java-
> | but-not-actually-Java-VM that Microsoft shipped with Windows 2000 and XP was
> | already at JDK 1.2 level, not vulnerable to this thing.
> |
> | I still wonder how this thing is still in usage, even though the most stupid
> | bad guy would recognize an infection rate of essentially zero.
>
> Exploit-ByteVerify is rather generic. Many newer versions of Sun Java were also vulnerable.


Hm? I've followed through the release notes of every version of Sun's Java
VM since JDK 1.2 and I'm very sure that they never mentioned any security
vulnerability in the bytecode verifier. Not even after they changed the
class format for helping implement the much simpler and more secure
SSA-based verifier.

> There have been many variants to ByteVerify and they seem to increase.

According to my analysis, it's the same old disfunctional crap from '98.

On Jan 23, 7:20*pm, Rick Merrill <rick0.merr...@NOSPAM.gmail.com>
wrote:
> how do you check out something like this?
>
> volny.cz/svhgjtt/dental-plan.html

You don't, just stay away from it

Rick Merrill brought next idea :
> how do you check out something like this?
>
> volny.cz/svhgjtt/dental-plan.html

I use a text browser like Lynx to go to suspicious sites
(there is also a lynx for windows)

Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:

> how do you check out something like this?
>
> volny.cz/svhgjtt/dental-plan.html

Curl would pull the html down and dump it in a text file -- handy
commandline tool.

--
Todd H.
http://www.toddh.net/

On Feb 1, 9:25 pm, comph...@toddh.net (Todd H.) wrote:
> Rick Merrill <rick0.merr...@NOSPAM.gmail.com> writes:
> > how do you check out something like this?
>
> > volny.cz/svhgjtt/dental-plan.html
>
> Curl would pull the html down and dump it in a text file -- handy
> commandline tool.
>
> --
> Todd H.http://www.toddh.net/

www.siteadvisor.com