Possible threat?

Tony Arnold tony.arnold at manchester.ac.uk
Thu Dec 20 16:48:09 UTC 2012


On 20/12/12 16:40, rikona wrote:
> Some folks on a mailing list have been infected with a virus that
> seems to be spreading rapidly. I thought I'd get a little info about
> who might be behind this by looking up the domain, which has been
> changing more than once a day. Earlier domains were very recently
> created, with a bogus admin contact, in the Ukraine.
> The current one is newsonmsnbc.com. I thought I'd copy this and do a
> whois. This time, though, I was in Claws mail, and not in my usual
> client, TheBat. Unfortunately, Claws mail immediately opens the link
> if you press the mouse button anywhere inside the link, and so it was
> opening in Opera even before I could move the mouse to copy. As soon
> as I realized this I went to Opera, stopped the access, and closed the
> tab. BUT - there was a very large surge of continuous disk activity
> which continued for a couple of minutes, with nothing else going on in
> the box [running 10.04]. Maybe a coincidence, but worrisome.
> So, what is the best way to check for a possible new malware problem
> if one sees suspicious activity?
> Anyone know what the newsonmsnbc.com link is trying to do?

Not sure but here is the whois output:

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123


Creation Date: 20-Dec-2012
Modification Date: 20-Dec-2012
Expiration Date: 20-Dec-2013

Domain servers in listed order:

Arthor Brown arthor-brown289289 at ymail.com
TNew line ave 172 95
NY, 18274

So, something to do with the Ukraine, with authoritative domain servers
in Russia!

If you lookup the IP addresses of www.newsonmsnbc.com you get 4
addresses. Two of them have a country code of PT and one of them is in

I wouldn't go near it personally.

Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: tony.arnold at manchester.ac.uk

More information about the ubuntu-users mailing list