Is this thing infecting only XP machines? I would assume it would infect 2000 and 2003 Server as well... what about 9x and ME?
computerguy | Homepage | 12.28.05 - 4:44 pm | #

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.
Alex Eckelberry (Siteowner) | Homepage | 12.28.05 - 5:08 pm | #

Many of those site get them from:

Iframeurl [dot] biz
beehappyy [dot] biz

crackz ws, and mscracks, and keygen us gets it from those sites.
redxii | 12.28.05 - 5:15 pm | #

Some of these domains are already in IE-SPYAD, a free utility that puts dangerous domains in Internet Explorer's restricted sites zone.

https://netfiles.uiuc.edu/ehowes/ ...rce.htm#IESPYAD

A text list of the domains in IE-SPYAD can be downloaded here to check.

https://netfiles.uiuc.edu/ehowes/ ...e.htm#SitesList
suzi | Homepage | 12.28.05 - 5:33 pm | #

Redxii and Suzi, you're both right.

We have also sent Eric Howes (who manages IIESpyad) an updated URL list. However, he's currently out of town so I'm not sure he has all of the latest URLs. Nevertheless, IESpyad rocks and should be used.
Alex Eckelberry (Siteowner) | Homepage | 12.28.05 - 6:42 pm | #

Eric posted in the other comments here that he has a new update tonight for IE-SPYAD to be installed over a current installation.

http://www.dslreports.com/forum/ ...remark,15121689

This update includes new domains being used in the exploit.
suzi | Homepage | 12.29.05 - 1:38 am | #