tony.arnold at manchester.ac.uk
Thu Dec 20 16:48:09 UTC 2012
On 20/12/12 16:40, rikona wrote:
> Some folks on a mailing list have been infected with a virus that
> seems to be spreading rapidly. I thought I'd get a little info about
> who might be behind this by looking up the domain, which has been
> changing more than once a day. Earlier domains were very recently
> created, with a bogus admin contact, in the Ukraine.
> The current one is newsonmsnbc.com. I thought I'd copy this and do a
> whois. This time, though, I was in Claws mail, and not in my usual
> client, TheBat. Unfortunately, Claws mail immediately opens the link
> if you press the mouse button anywhere inside the link, and so it was
> opening in Opera even before I could move the mouse to copy. As soon
> as I realized this I went to Opera, stopped the access, and closed the
> tab. BUT - there was a very large surge of continuous disk activity
> which continued for a couple of minutes, with nothing else going on in
> the box [running 10.04]. Maybe a coincidence, but worrisome.
> So, what is the best way to check for a possible new malware problem
> if one sees suspicious activity?
> Anyone know what the newsonmsnbc.com link is trying to do?
Not sure but here is the whois output:
Service Provided By: Center of Ukrainian Internet Names
Domain Name: NEWSONMSNBC.COM
Creation Date: 20-Dec-2012
Modification Date: 20-Dec-2012
Expiration Date: 20-Dec-2013
Domain servers in listed order:
Arthor Brown arthor-brown289289 at ymail.com
TNew line ave 172 95
So, something to do with the Ukraine, with authoritative domain servers
If you lookup the IP addresses of www.newsonmsnbc.com you get 4
addresses. Two of them have a country code of PT and one of them is in
I wouldn't go near it personally.
Tony Arnold, Tel: +44 (0) 161 275 6093
Head of IT Security, Fax: +44 (0) 705 344 3082
University of Manchester, Mob: +44 (0) 773 330 0039
Manchester M13 9PL. Email: tony.arnold at manchester.ac.uk
More information about the ubuntu-users