Full Disclosure mailing list archives

Re: Increase probe on UDP port 1026

From: Paul Dokas <dokas () cs umn edu>
Date: Tue, 2 Dec 2003 15:21:17 -0600

On Tue, 02 Dec 2003 10:16:23 +0100 Nicob <nicob () nicob net> wrote:

I captured some packets and it appears to be (only) a Windows Messenger
"spam" for a "penis enlargement" product.


I caught one last night scanning 1026/UDP and 1030/UDP and doing popups
directing people to www.PopAdStop.com.  The 1026/UDP and related traffic
is *definitely* popup spam related.  At this point, I suspect that the
malware is getting onto computers via .HTA mime or ADODB.Stream vulnerabilites
in IE.  However, I have no proof of this yet.

BTW, I did `wget http://www.PopAdStop.com` a little bit ago.  Looks like
they could win an obfuscated JavaScript contest.


Paul
-- 
Paul Dokas                                            dokas () cs umn edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Increase probe on UDP port 1026 Irwan Hadi (Dec 01)
- Re: Increase probe on UDP port 1026 srenna (Dec 01)
- Re: Increase probe on UDP port 1026 bowwow (Dec 03)
- <Possible follow-ups>
- RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 01)
  - RE: Increase probe on UDP port 1026 Nicob (Dec 02)
    - RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 02)
    - Re: Increase probe on UDP port 1026 Paul Dokas (Dec 02)
    - Re: Increase probe on UDP port 1026 George Capehart (Dec 02)
    - Re: Increase probe on UDP port 1026 Nick FitzGerald (Dec 02)
    - RE: Increase probe on UDP port 1026 Bill Royds (Dec 02)
    - Re: Increase probe on UDP port 1026 Brian Eckman (Dec 03)
- RE: Increase probe on UDP port 1026 Richard Maudsley (Dec 03)