Today I’m going to do something different.  Yes, I’m also going to do something different on the blog.  I’d like to welcome my cohort in linux, Art Alexion.  He had a very interesting experience recently and I insisted on having him write it down.  It starts when he used Google to find out how to unpack a file.

———————————————————————————

So, I tried the second link.  This is a link to
http://elements-webdesign.com/ogang/pxchj/files/files.htm&ei=cZlwSc34IJ3etgfVn9TqCA&usg=AFQjCNEP-NlrSzIeu7YZ7OmXaINDumec-A&sig2=HOVomUvnLG0iIedEYY4Q1w

That link redirects to radiantspywarescanner.com.  That site tries to install Antivirus 2009 on your system.  The first indication was a javascript message box telling me I may be infected and asking me to do a scan.  Being I was using Linux, I figured I’d have some fun and let it try try.  I was presented with a web page that had an embedded animated
GIF that was purporting to do a scan of my EXEs and DLLs (ha ha).

Next it used a layer to present a very convincing looking WinXP dialog with ‘Microsoft Windows’ in the title bar showing me the viruses it found and asking me to install.  Of course, no matter where I clicked on it, it tried to install its nefarious payload.

I expected it to just fail, but our Sonic Wall blocked it before incompatibility with Linux did.

If you have ever been called on to help friends or users infected with this thing, it is fun to see how they got it, from a safe distance.

Whois info:
Registrant:
Name: Aennova M Decisionware
Address: Rua Maestro Cardim 1101   cj. 112
City: Sgo Paulo
Province/state: NA
Country: BR
Postal Code: 01323

Current Registrar: TODAYNIC.COM, INC.
IP Address: 94.247.3.43 (ARIN & RIPE IP search)
IP Location: UK(UNITED KINGDOM)
Lock Status: clientTransferProhibited
DMOZ no listings
Y! Directory: see listings
Data as of: 14-Jun-2005

———————————————————————————-

Yet another great reason to run linux.

Thanks, Art.