Return-Path: Delivered-To: apmail-spamassassin-blogspam-archive@www.apache.org Received: (qmail 88282 invoked from network); 14 Dec 2007 10:59:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Dec 2007 10:59:07 -0000 Received: (qmail 96699 invoked by uid 500); 14 Dec 2007 10:58:56 -0000 Mailing-List: contact blogspam-help@spamassassin.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: blogspam@spamassassin.apache.org Delivered-To: mailing list blogspam@spamassassin.apache.org Received: (qmail 96688 invoked by uid 99); 14 Dec 2007 10:58:56 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Dec 2007 02:58:56 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of admin@phsdl.net designates 64.22.112.130 as permitted sender) Received: from [64.22.112.130] (HELO helios.genwebserver.com) (64.22.112.130) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Dec 2007 10:58:54 +0000 Received: from [60.236.250.120] (helo=toshibauser) by helios.genwebserver.com with esmtpa (Exim 4.68) (envelope-from ) id 1J38GL-00055n-2t for blogspam@spamassassin.apache.org; Fri, 14 Dec 2007 05:59:25 -0500 Message-ID: <016a01c83e40$3a592950$020ba8c0@toshibauser> From: "PHSDL" To: References: <005b01c83d08$476233f0$020ba8c0@toshibauser> <14305082.post@talk.nabble.com> <009e01c83d12$4fd4f040$020ba8c0@toshibauser> <015601c83e3e$9b2ef720$020ba8c0@toshibauser> Subject: Zlob Troian Spam Domain Variants Date: Fri, 14 Dec 2007 19:58:11 +0900 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - helios.genwebserver.com X-AntiAbuse: Original Domain - spamassassin.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - phsdl.net X-Source: X-Source-Args: X-Source-Dir: X-Virus-Checked: Checked by ClamAV on apache.org I am aware of two Zlob Trojan redirect domains variants. One is in the forum of an ActiveX that tries to install itself when a contaminated Website is opened in a Browser. When using Northon Anti Viras it would crash the browser and self installed itself even if a user did not agree to installation. I do not know if this problem with Norton AV has been fixed. But using NOD32 perevents automatic installation and allows a user to close the browser. Variant two comes as a Java Cab that tries to install itself automatically but using Sun Microsystem Virtual Java Machine I can chose not to accept the installation. http://www.java.com/en/index.jsp There are different way that generates the attack. But all involve going to cantaminated site. One porn video site and click on porn video embeded pictures, another is just opening a url in a list of many URLs... Thank you, Igor Berger PHSDL Administrator