On Tue, 02 Dec 2003 10:16:23 +0100 Nicob <nicob@nicob.net> wrote:
> I captured some packets and it appears to be (only) a Windows Messenger
> "spam" for a "penis enlargement" product.
I caught one last night scanning 1026/UDP and 1030/UDP and doing popups
directing people to www.PopAdStop.com. The 1026/UDP and related traffic
is *definitely* popup spam related. At this point, I suspect that the
malware is getting onto computers via .HTA mime or ADODB.Stream vulnerabilites
in IE. However, I have no proof of this yet.
BTW, I did `wget http://www.PopAdStop.com` a little bit ago. Looks like
they could win an obfuscated JavaScript contest.
Paul
-- Paul Dokas dokas@cs.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.htmlReceived on Tue Dec 02 15:50:33 2003
This archive was generated by hypermail 2.1.8 : Tue Dec 02 2003 - 16:01:00 CST
