[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Increase probe on UDP port 1026
- To: Nicob <nicob@nicob.net>
- Subject: Re: [Full-Disclosure] Increase probe on UDP port 1026
- From: Paul Dokas <dokas@cs.umn.edu>
- Date: Tue, 2 Dec 2003 15:21:17 -0600
On Tue, 02 Dec 2003 10:16:23 +0100 Nicob <nicob@nicob.net> wrote:
> I captured some packets and it appears to be (only) a Windows Messenger
> "spam" for a "penis enlargement" product.
I caught one last night scanning 1026/UDP and 1030/UDP and doing popups
directing people to www.PopAdStop.com. The 1026/UDP and related traffic
is *definitely* popup spam related. At this point, I suspect that the
malware is getting onto computers via .HTA mime or ADODB.Stream vulnerabilites
in IE. However, I have no proof of this yet.
BTW, I did `wget http://www.PopAdStop.com` a little bit ago. Looks like
they could win an obfuscated JavaScript contest.
Paul
--
Paul Dokas dokas@cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html