>>> FYI: Block this IP 188.72.246.99 <<<

FYI: Block this IP 188.72.246.99

Don't even go to that IP.
Go to OpenDNS or your Firewall or where ever you Block IP's and add it.

It launches a Scan Looking Webpage that says you have Trojans on C: and D:
(I don't have a D: drive) and then wants you to install a cleaner.
(Even looks like Microsoft Popup)

I didn't install it, but I'm sure it's a malware.

Please Add this IP to your Blocking on your firewalls, and AV

Thanks, Russ. According to IP2Location (http://www.ip2location.com), it's on
a DSL line in Germany:

IP Address Country Region City Latitude/Longitude ZIP Code Time Zone
188.72.246.99 GERMANY - - 52.517 13.4 - +01:00
Net Speed ISP Domain : DSL NETDIRECT INTERNETSERVICETEAM.COM
IDD Code Area Code Weather Station : 49 - GMXX0007 - BERLIN

Norton rating report on that IP address:

http://safeweb.norton.com/report/sho...=188.72.246.99


That's a good website
and yes that's what it has
a Fake Virus Scan

I agree, that's a great site. I created a URL shortcut for it for my
browser. :-)

FYI, if anyone's interested, it's a reg entry so all I have to type in the
URL line is "ip <ip address>" and it goes to that site. I use that for MS'
support site, eventid.net, etc.

Here's an example reg entry for this site:

====
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\ip]
@="http://safeweb.norton.com/report/show?name=%s"
====

I just used a test VPC of Win 2000, IE6, no antivirus to go to that site.
The result was that the fake page loaded, but because this test VPC is
behind my WatchGuard firewall, the EXE files were unable to download, so no
infection. My WG does not let in any EXE or DLL, and scans by extension as
well as MIME type to determine the file type.

Other than killing Javascript completely, I'd like to find a way to block
the initial page of these fake site from loading at all.

I just tested again, this time with WFBS 6.0 SP2 installed and the
WatchGuard bypassed. While it did get to the site, Trend was able to block
the downloaded file.

I'm not sure how to do it in the WG, but with the Cisco Pix and ASA series,
it would be commands such as the following::

name 188.72.246.99 FakeVirusAlertSourceIP
access-list aclout_in deny tcp host 188.72.246.99 any

With the WatchGuard, create a common http policy with a packet filter, on
the outgoing tab, change filter to deny, and add the IP address to To:
block, From is any.

WatchGuard has a IP block list you can add the entire subnet too, I have
a large list of IP ranges in the default block list.

Additionally, if you're letting COM/EXE/REG/DLL, etc... files inbound
via HTTP then you're not using the firewall properly - Block all files
capable of malicious activity for HTTP - then enter exclusions for
*.microsoft.com, *.adobe.com, etc... as needed for the genera HTTP PROXY
rule - don't use a packet filter rule to block a single IP, use the
BLOCK IP list function.

I intentionally bypassed the WatchGuard in order to test if Trend Micro WFBS
would stop it. For once, it did.

I know how to block it. You missed the "WatchGuard bypassed" part of my
comment. I was trying to see if WFBS could catch something for once without
interference form the WatchGuard, so I temporarily set the WatchGuard to let
it through to the desktop.

I was wondering what that meant! LOL!

As for the list, there are quite a bit to enter manually into a PIX. Maybe
create a 'deny' group, and put them in, but I still have to get them in
somehow and not spend two hours typing them in. :-)

Thanks for the link, Gregg!

For a WatchGuard, all one has to do is get the file into text that has only
the IP addresses. I just open it in Excel and choose a semi-colon as the
delimiter, which makes it into two columns. I delete the second column, save
it, then use it to import into the WG in one big chunk.

If you look at the list, you will see that the IP that Russ posted isn't
there, but it can be added manually.

I was checking into my Pix and how to do it. I can create a 'service group'
and simply copy/paste a comma delimited file, as you stated. Thanks for the
ideas!

[lullabee]

http://www.ip2location.com/188.72.246.99

Domain: 84-16-254-32.LOCAL, what does LOCAL mean? LAN IP address?