Possible threat?

Tony Arnold tony.arnold at manchester.ac.uk
Thu Dec 20 16:48:09 UTC 2012 

Rikona,

On 20/12/12 16:40, rikona wrote:
> Some folks on a mailing list have been infected with a virus that
> seems to be spreading rapidly. I thought I'd get a little info about
> who might be behind this by looking up the domain, which has been
> changing more than once a day. Earlier domains were very recently
> created, with a bogus admin contact, in the Ukraine.
> 
> The current one is newsonmsnbc.com. I thought I'd copy this and do a
> whois. This time, though, I was in Claws mail, and not in my usual
> client, TheBat. Unfortunately, Claws mail immediately opens the link
> if you press the mouse button anywhere inside the link, and so it was
> opening in Opera even before I could move the mouse to copy. As soon
> as I realized this I went to Opera, stopped the access, and closed the
> tab. BUT - there was a very large surge of continuous disk activity
> which continued for a couple of minutes, with nothing else going on in
> the box [running 10.04]. Maybe a coincidence, but worrisome.
> 
> So, what is the best way to check for a possible new malware problem
> if one sees suspicious activity?
> 
> Anyone know what the newsonmsnbc.com link is trying to do?

Not sure but here is the whois output:

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123

Domain Name: NEWSONMSNBC.COM

Creation Date: 20-Dec-2012
Modification Date: 20-Dec-2012
Expiration Date: 20-Dec-2013

Domain servers in listed order:
ns1.hipflwow.ru
ns2.hipflwow.ru

Registrant:
Arthor Brown arthor-brown289289 at ymail.com
TNew line ave 172 95
NY, 18274
UNITED STATES
+1.7343541732


So, something to do with the Ukraine, with authoritative domain servers
in Russia!

If you lookup the IP addresses of www.newsonmsnbc.com you get 4
addresses. Two of them have a country code of PT and one of them is in
Russia.

I wouldn't go near it personally.

Regards,
Tony.
-- 
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: tony.arnold at manchester.ac.uk

More information about the ubuntu-users mailing list