OT: Fwiw: HEADS-UP .... Live in action: botnet, fake Windows sites and keylogger

[Guest guest]

DO NOT CLICK ON ANY LINKS IN ANY EMAILS FOR ANY REASON unless you're really really sure of it's destination

You can highlight a URL, copy it, and paste it into your browser, that's safer. Beware of foreign links (.il, .it, .de, .ru, etc)

The below links in the blog post are all 'safe', but you are safest if you highlight the first link, going to a known site (zdnet) and read this information there.

This is a very serious threat to your computer. The last few weeks email inboxes have been bombarded with unsafe emails, a worm virus is spreading (seeing more and more 'infections' daily).

Do not click on links to "Chase" or "Paypal" or "eBay" that threatens your account, or offers you 20% off, or says you Bid on something BIG and you're going to get negative feedback. Even if it looks like an eBay message from another eBayer... chances are, it's NOT (you can forward them to 'spoof@...' or 'spoof@...'). You should go to the site itself, with your own bookmark or typing in the link, and seeing if that SAME message is on that site, if not, it's a phishing mail.

DO NOT BE TRICKED! Once you Click on a bad link, it's TOO late.

--------------------------------------------

http://blogs.zdnet.com/Spyware/index.php?p=791 & tag=nl.e550 <--- safe to click, but Safer if you Copy and Paste into a browser

Live in action: botnet, fake Windows sites and keyloggerPosted by Suzi @ 7:57 pmThis has been occupying a lot of my attention since Friday. It started off with a message at my SpywareWarrior forum from Adam Piggott of Proactive Computing, about a spam email (screenshot) he received purporting to be from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exeNote I'm using the present tense because, even though we got the first site shut down Friday evening, now another almost identical site is up and still live AFAIK. Authorities and the ISP hosting the second site have been notified. The site is hosted in the US. I made a video (WMV) of the exploit at the first site, now shut down.The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server — the same situation as described here in SunbeltBLOG's post last August when their researcher discovered the first of this new series of winldra variants.