Re: OT - Regarding the maniacle Trojan spreader on usenetserver

From: "Ohmster" <root@xxxxxxxxxxxxxxx>

| I know we beat the "How to get this *** Trojan spreader off Usenet"
| to death. He is the one that posts under every name in the book and every
| post is for free software, porno videos, or anything else and pops a
| ".scr" at the end of an avi file or zip file or something like that,
| hoping that someone won't notice or that Windows default will hide the
| scr extension. We have sent complaints to abuse and
| support@xxxxxxxxxxxxxxxx with all headers, gotten back "work tickets",
| and then nothing happens, the virus/Trojan posts continue. We have called
| usenetserver.com on the phone in massive numbers to complain to their
| support telephone line, once again, they claim to manage their customers
| but cannot police the entire Usenet, only their customers, which these
| malware spreaders are or are using their domain to spread from, the
| headers prove it.

| Giganews had a similar problem a ways back but they did do something
| about it and put a stop to it. Usenetserver is not interested. The
| question is, if they will not listen to reason or accept responsibility,
| can they be coerced into concession by another Internet or governmental
| agency of the US such as ICANN or the FTC?

| Just to refresh your memory, here is a recent Trojan post:


Besides the information I provided to you, I suggest contacting the CERT of the country
UsenetServer.Com is in.

If they are a US company, contact the US CERT and file a formal complaint.

A final note is that the malware has morphed.
It is being distributed now in two forms other than files with the double extension
..AVI.SCR
It is being distributed as .MPG.SCR and a different syle neame that ends with a web site
name. Realize that most web sites end with .COM and if you remeber a few years back most
executables were also .COM, therefore they are now being distributed with file names such
as...
"Beautiful-babe-extreeme-softcore.avi - www.hotteens.com" That IS and executable
filename.

What hasn't changed is that it is still a Zeus Bot Trojan (Zbot trojan).
The Bot C2 server (aka; C&C) is still at; csteenhoff.com and it is suggested to block
that address on all FireWalls infected or not.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


.