Dear abuse @ intercage.com (AKA Atrivo): You seem to be hosting multiple sites/IP-addresses that have to do with propagating a particularly nasty virus that is centered about the "windesktop.exe" and "windesktop.dll" programs that are inserted into the WINDOWS\SYSTEM directory. I am asking you to de-activate these sites & pages whose names were imbedded in the "windesktop" executables. IP addresses: ........com/tmp/cfg.dat 69.31.79.114 sc-cash.com 69.31.79.115 I also found these two pages/sites embedded in an infected wins32.dll file: http://max-stats.com/zaebali_bla_da_da_da.dat 69.31.79.117 http://max-stats.com/partner/xz.php 69.31.79.117 (The file zaebali_bla_da_da_da.dat seems to be an image of the nasty "windesktop.exe" executable.) By looking up these three IP 69.31.79 addresses --- using sites like http://www.melissadata.com/Lookups/iplocation.asp and http://www.ip2location.com/free.asp, I see that Intercage Inc. (in Concord, California) is the host of these addresses. (Some web pages indicate that Intercage has changed its name to Atrivo.) AND ... Intercage/Atrivo Inc. seems to have a history of harboring spammers ... and even admits that the revenue from these spammers is needed --- as "Russ" at Intercage tries to convince various Admins to stop blocking Intercage addresses. See the thread represented at posts like http://lists.sosdg.org/pipermail/sosdg-nanab/2005-September/009992.html and http://lists.sosdg.org/pipermail/sosdg-nanab/2005-September/009989.html ******************* More on MY VIRUS EXPERIENCE: ******************* It is one thing to harbor spammers. That is bad enough. (I know. I keep getting multiple stock, medicine, and Rolex ad e-mails -- many identical ads the SAME DAY, for the same stock/medicine/Rolex. Congress should do something about that --- like pass a law to allow lobotomies to be performed on those caught doing these bulk e-mails --- and lobotomies on those ISP managers who repeatedly harbor these bulk e-mailers, under moving IP addresses. If not lobotomies, then allow for crushing their family jewels between two bricks.) But, dear Intercage = Atrivo, to harbor propagators of virulent viruses is even worse than harboring spammers. I have learned a lot about MS-Windows files and the architecture and techniques of certain kinds of viruses in the past two weeks --- before having to back up my data files and do a FULL RESTORE OF MY OPERATING SYSTEM to get rid of infected files. Here are some of the files that are probably inserted or infected by this virus. Their modify times were the same minute on 10 October 2005 as the modify times of the "windesktop" executables. Here are the files sorted by modify time: tmpA1E2.TMP in WINDOWS\TEMP jcxhtbpj.exe in WINDOWS\SYSTEM __plastilin__ in " wins32.dll in " ruuavwjg.exe in " nxqpjaa.exe in " Service.exe in " desktop.html in WINDOWS HOSTS.SAM in " xobdluvv.exe in WINDOWS\SYSTEM sdxlgaaa.exe in " perflibs__ There was also diepkioc.exe windesktop.exe and windestop.dll stored in WINDOWS\SYSTEM. "windesktop.dll" appears to be a subset of the code in "windesktop.exe" --- 37 KB versus 43 KB. "windesktop.exe" was in 4 "Startup" variables in the Windows Registry --- and kept reappearing in the Registry within a second of time, whenever I tried to use "regedit" to delete any of the 4 instances. (I actually saved copies of "windesktop.exe" and "windesktop.dll" --- in case anyone wants to dissect them --- or verify the site names I listed above.) I finally had to startup in "Safe mode" to be able to delete/rename/move "windesktop.exe" and "windesktop.dll" --- and the "desktop.html" file that turned my desktop red. (The red desktop was very cute --- and seems to indicate that the virus propagators were more into doing mischief than into doing secretive harm. And quite some mischief it was. See below.) The following DLL's are mentioned in the "windesktop.exe" file: ADVAPI32.dll MVSCRT.dll KERNEL32.dll WS2_32.dll USER32.dll WININET.dll ICMP.DLL Some of these DLL's were probably infected. To get rid of the infection, I finally had to backup my data files (including mail files, bookmarks, and documents) to CDs (luckily my computer was functioning just well enough for me to do that) --- and I had to re-install the OS from a couple of Restore CDs. Then I had to re-install applications like HP printer software, Firefox, Mozilla, Irfanview, Skype, an FTP program --- and then manually restore many configuration parameters, defaults, and preferences. Of course all this took time -- many days of time --- for: - tracking down the problem (getting lists of files modified at about the same time and examining them) - learning (doing Google searches, about "windesktop", about the Registry, about Safe mode, etc. etc.) - re-booting over and over and over as my computer kept slowing down and eventually hanging up because of the virus - trying an OS restore without wiping out my data files (but Internet Explorer, which is so central to so much of MS-Windows, kept hanging up), so I had to ... - do a FULL RESTORE, after BACKING UP MY DATA (which required more learning, about how Outlook Express stores mail folders --- in .dbx files --- and how my browsers stored their book marks --- and later figuring out how to import those files back into their respective applications). ********** CONCLUSION: ********** All told, this took several all-nighters and an elapsed time of almost two weeks. I am far the wiser --- but, as you might imagine, I am very angry. So, dear Intercage/Atrivo, if you do not shut down these IP adresses and sites (in other words, do NOT simply move them to other addresses, like you seem to be doing with the spammers you are harboring --- but actually SHUT THEM DOWN), I will be obliged to take some other action. I am copying this e-mail to some addresses like the "Internet Storm Center" lists and some Admins who have had a running conversation with "Russ@atrivo.com". I suppose a next step could be taking out an ad in some newpapers in the Concord, CA, area --- ads addressed to people who have been affected by spam and viruses --- and letting them know that Atrivo (formerly known as Intercage Inc.) needs some help in rearranging their offices --- at 1955 Monument Blvd. Concord, CA 94520 1-925-550-3947 I found the above address and phone at http://www.cidr-report.org/cgi-bin/as-report?as=AS27595 . Please let me know if you have an update. I am sure there are some vigilantes --- I mean some volunteers --- (people who are experienced in receiving spam and viruses) who would be glad to help you move some of your furnishings and belongings. I do hope you get what you deserve. Sincerely, Blaise (as in blazing angry) P.S. Those virus propagators should not have let loose their stuff on a Ph.D. in math with about 30 years of experience in the computing industry --- i.e. someone who knows his way around files and directories and operating systems. I think that if you Atrivo people are fine, upstanding Internet citizens, then you will let the "Internet Storm Center" know the names and addresses of the people responsible for http://max-stats.com/zaebali_bla_da_da_da.dat . Thank you for your co-operation. Copies to: intrusions a t lists.sans.org list a t lists.dshield.org forum a t shield.org SpamHuntress a t gmail.com rsk a t gsp.org morleydotes a t spamblocked.com TeamZ a t zonelabs.com abuse a t nlayer.net dalnetuzer a t yahoo.com **** P.S. (a traceroute) **** Here is part of a traceroute to one of the 69.31.79 addresses involved with the "windesktop" virus. Note that "nlayer.net" is involved in the link to Intercage/Atrivo. Hence I copy the "abuse" address at nlayer.net --- and I copy someone who has sent complaints to "abuse" at nlayer.net --- to let him know that he is not alone. C:\WINDOWS\Desktop>tracert 69.31.79.114 Tracing route to 69.31.79.114 over a maximum of 30 hops ... ... ... ... ... 7 <10 ms <10 ms <10 ms ashbbbrj01-s0100.r2.as.cox.net [68.1.0.218] 8 14 ms 13 ms <10 ms 68.105.30.106 9 96 ms 82 ms 96 ms 0.so-0-3-0.cr1.sfo1.us.nlayer.net [69.22.142.78] 10 96 ms 96 ms 96 ms ge4-8.hr1.sfo1.us.nlayer.net [69.22.143.14] 11 96 ms 96 ms 96 ms atrivo.ge1-4.hr1.sfo1.us.nlayer.net [69.22.128.250] 12 96 ms 96 ms 96 ms 69.31.79.114 Trace complete.