[Full-Disclosure] Increase probe on UDP port 1026
Paul Dokas
dokas at cs.umn.edu
Tue Dec 2 21:21:17 GMT 2003
On Tue, 02 Dec 2003 10:16:23 +0100 Nicob <nicob at nicob.net> wrote:
> I captured some packets and it appears to be (only) a Windows Messenger
> "spam" for a "penis enlargement" product.
I caught one last night scanning 1026/UDP and 1030/UDP and doing popups
directing people to www.PopAdStop.com. The 1026/UDP and related traffic
is *definitely* popup spam related. At this point, I suspect that the
malware is getting onto computers via .HTA mime or ADODB.Stream vulnerabilites
in IE. However, I have no proof of this yet.
BTW, I did `wget http://www.PopAdStop.com` a little bit ago. Looks like
they could win an obfuscated JavaScript contest.
Paul
--
Paul Dokas dokas at cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
Full-Disclosure is hosted and sponsored by Secunia.