Jump to content
Sign in to follow this  
Swimmer

AIM "virus" NEED HELP WITH IP ADDRESS OF SERVER!!

Recommended Posts

Hey guys got a new one for you...

206.67.61.8

that is the ip address of the offending server.. looking for who owns it..  Basically if you get an IM that says something to this effect.. "ITswag's Pics from the beach :D!!!"  as an auto response..  that is how it is delivered.. the address on that link is H**p://w*w.service24.com/photos/pictures.pif-->  DONT CLICK THIS LINK!!!!!  I remove some of the letter to prevent problems.. but i am looking for the owner of this server.. they are going to receive a call from me and most likely Purdue University.. it is spreading like wild fire!!!  It doesnt seem to affect trillian..

Thanks guys!

Share this post


Link to post
Share on other sites

206.67.61.8

Blacklist Status: Listed - Cached Today

Cached Whois: Cached today

Record Type: IP Address

IP Location: United States United States - Massachusetts - Marshfield - Media 3 Technologies Llc

Reverse IP: Web server hosts 1 websites (reverse ip tool requires free login)

Reverse DNS: service24.com

UUNET Technologies, Inc. NETBLK-UUNETCBLK64-67 (NET-206-64-0-0-1)

                                  206.64.0.0 - 206.67.255.255

Media 3 Technologies, LLC UU-206-67-48-D1 (NET-206-67-48-0-1)

                                  206.67.48.0 - 206.67.63.255

Not a person...or person in a hotel so they can disguise themselves.. hmmm

oh and the "hosted website"  is

- www.Service24.com -  Click at your own risk.

Share this post


Link to post
Share on other sites

It looks like it's registered to UU.net which is an ISP:

WhoIs Lookup performed by Karen's WhoIs

http://www.karenware.com/

OrgName:    UUNET Technologies, Inc.

OrgID:      UU

Address:    22001 Loudoun County Parkway

City:      Ashburn

StateProv:  VA

PostalCode: 20147

Country:    US

NetRange:  206.64.0.0 - 206.67.255.255

CIDR:      206.64.0.0/14

NetName:    NETBLK-UUNETCBLK64-67

NetHandle:  NET-206-64-0-0-1

Parent:    NET-206-0-0-0-0

NetType:    Direct Allocation

NameServer: AUTH00.NS.UU.NET

NameServer: AUTH01.NS.UU.NET

Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

RegDate:    1995-07-05

Updated:    2001-09-26

TechHandle: UUPM-ARIN

TechName:  UUNET Postmaster

TechPhone:  +1-703-206-5440

TechEmail:  [email protected]

OrgAbuseHandle: ABUSE3-ARIN

OrgAbuseName:  abuse

OrgAbusePhone:  +1-800-900-0241

OrgAbuseEmail:  [email protected]

OrgNOCHandle: OA12-ARIN

OrgNOCName:  UUnet Technologies, Inc., Technologies

OrgNOCPhone:  +1-800-900-0241

OrgNOCEmail:  [email protected]

OrgTechHandle: SWIPP-ARIN

OrgTechName:  swipper

OrgTechPhone:  +1-800-900-0241

OrgTechEmail:  [email protected]

OrgName:    Media 3 Technologies, LLC

OrgID:      MD3T

Address:    33 Riverside Dr.

City:      Pembroke

StateProv:  MA

PostalCode: 02359

Country:    US

NetRange:  206.67.48.0 - 206.67.63.255

CIDR:      206.67.48.0/20

NetName:    UU-206-67-48-D1

NetHandle:  NET-206-67-48-0-1

Parent:    NET-206-64-0-0-1

NetType:    Reallocated

Comment:   

RegDate:    1997-09-15

Updated:    1999-07-13

TechHandle: RH504-ARIN

TechName:  Hayes, Robert

TechPhone:  +1-617-963-6050

TechEmail:  [email protected]

# ARIN WHOIS database, last updated 2005-02-10 19:10

Share this post


Link to post
Share on other sites

thank you boys you are the best!!! lets see if we cant fix this little problem

can we run that address and see if it pulls from a different server than that other site??  they dont have a "photos" folder which makes me think that it is a hacked server..

Share this post


Link to post
Share on other sites

anyway when you open the msdos it installs a something32.exe that exicutes randomly  and brings you to an installed directory on your main ( C:) drive. Once you agree to it 3 times...lmao,,,, then you get the full blown virus.  ( more like a virus that delivers alot of spyware aparetly.. :s )

Glad i could be your  test rat.

as for now, i have to go :-  ( not my comp ...lol )

till tomorow!

Share this post


Link to post
Share on other sites

look like it disables the ctrl+alt+del so you can not end the process..  Thanks .s1 for your sacrific!!  You have helped the cause..  SO  DONT CLICK ON THE LINK!!!!!

There is also another twist..  There is an msdos shell short cut that will appear on the desktop.. i dont click on it!! that should take care of the virus launch..

I am going to submit this to AOL.. 

Share this post


Link to post
Share on other sites

Another update. Once you restart your machine it makes all known processes open up.  for examnple,  internet explorer opens, incredimail, real player, msdos, c: , etc etc etc. and the more you close them the more they poppup. So this virus isnt as much malisious (sp? ) as it is "annoying" . Iv had enough fun with it for now, ( as has my stepdad >.< ) so i (have to) am goin to remove it now. 

Bottom line, please people, never click yes to any agreement on any website or to unknown folks on aim, msn, etc. Use the internet at your own risk ;)

( unless you know what your doing and like fun :P )

Share this post


Link to post
Share on other sites

Another update. Once you restart your machine it makes all known processes open up.  for examnple,  internet explorer opens, incredimail, real player, msdos, c: , etc etc etc. and the more you close them the more they poppup. So this virus isnt as much malisious (sp? ) as it is "annoying" . Iv had enough fun with it for now, ( as has my stepdad >.< ) so i (have to) am goin to remove it now. 

Bottom line, please people, never click yes to any agreement on any website or to unknown folks on aim, msn, etc. Use the internet at your own risk ;)

( unless you know what your doing and like fun :P )

:haha::lol::haha:

VanBuren :)

Share this post


Link to post
Share on other sites

well i removed the files ( located so cleverly , right infront of your face in c: under all the folders....rofl)  , scanned with adaware and spybot, removed some more crap, and am now using trendmicro's online scan to scan some more.  As well as disabled all the autostartup's  in the startup ( start > run> msnconfig ; startup :  khooker.exe , lshosts32.exe ,  LTMMSG.exe , a noname.exe , etc) 

And after the virus scan(s) are complete ill see if its all gone

Share this post


Link to post
Share on other sites

oh yea.. lol sorry :(

yea after the things (i listed above)  theirs no more poppups /viruses/all that crap.

Was pretty easy to remove actualy, just have to do it in safe mode or itll keep regenerating itself. lol 

Share this post


Link to post
Share on other sites

ok well heres how i did it. And yes, im completely clean. 

First of all to make things realy easy, open " My Documents "  and go to tools > folder options . 

Then click the "view" tab and where you see "Hidden Files and Folders" check  " show hidden files and folders"

then click apply , then ok. 

Now for the removal of the files that initiate the poppups and all the nonsense , you have to do this in "save mode with networking"  To get  here just restart the comp and continuously tap "F8" and a screen will come up with the safe mode options. Arrow down to the "safe mode with networking" option, once highlighted click enter. This will start windows in safe mode.  Once at the user account screen click on "administrator" account (not your own) allow it to login. Once your on the desktop and whatnot, just go to my computer> C: and right under all the folders, you'll see the added files. ( *see my screenshot in previous post * )  Delete all these files manually, then clear the recycle bin.

After the files themselves are cleared go to start > run> msconfig . Tab over to the "startup" tab and basically look for the processes that look out of place,  for example " khooker.exe"  or " lshosts32.exe" " server"  as opposed to common things such as "aim, msnmsgr , mspaint" etc. and uncheck these 'shady' looking processes.  ( *see below for screenshot *)  It will ask to continue working or restart. Choose continue working. After this is done Open internet explorer, ( yea... has to be I.E <.< )  and go to http://housecall.trendmicro.com  and do a virus scan. [ Yes, i know you have an antivirus software already...as do i, but an outside scanner is much better then one on your virus ridden machine.. dontcha think? :P ]

Let it scan. While this is scanning run adaware or spybot search and destroy or both if you please. (i did both)

Remove any and all spyware/cookies/folders it finds, as well as viruses trendmicro finds. If trendmicro reports that the virus is unremovable ( as it did to me) just look at its location and manually delete the file.

After this you just restart your machine and if done correctly, this will be the end of the virus and its effects.

[edit]

Also its never a bad idea to go to start > run > %temp%, which will bring you to " C:DOCUME~1name here LOCALS~1Temp  and remove all you see there. For alot of viruses hide in the tempory stored documents.

you can remove the " temp portion of the address to see your temporary internet files as well to remove them manualy. But be careful, cookies are also in the temporary internet files folder, and youll have to login to all your sites and whatnot again <.<

[/edit]

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...