Security Incidents mailing list archives
RE: Source of Windows PopUp SPAM
From: H C <keydet89 () yahoo com>
Date: Tue, 15 Oct 2002 17:06:43 -0700 (PDT)
http://www.wired.com/news/technology/0,1282,55795,00.html
Yeah, I saw that. ;-)
Also, I ran a packet trace on how the product generating these popups is working...the popup appears to be delivered as a single UDP/135 packet...
Interesting. I've done some testing in my lab. I ran a test tonight using the 'net send' command. It looked like this: c:\>net send 10.1.1.10 This is a test The capture looked like this: 1. UDP137 Netbios name query 2. TCP connection setup (1247 -> 139) 3. Actual text ("This is a test") appeared in a single TCP packet (1247 -> 139). This also appeared to be the case in my proof-of-concept Perl code that launched the NetMessageBufferSend() API code. I'll have to download the DA demo and see how that works.
I understand that the .exe involved may be 'svchost.exe' or 'services.exe'...depending on OS and version.
On 2K, it's definitely service.exe. I don't have an XP machine to query, but I checked on the Net and found both. However, MS says service.exe in KB article Q314056 (applies to XP Pro). Also, http://www.theeldergeek.com/messenger.htm says "services.exe", as well. I'd be interested in seeing what OS versions have the Messenger service running under svchost.exe, and which ones have it running under services.exe. Carv __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Source of Windows PopUp SPAM Lawrence Baldwin (Oct 14)
- RE: Source of Windows PopUp SPAM Brenna Primrose (Oct 16)
- <Possible follow-ups>
- RE: Source of Windows PopUp SPAM Lawrence Baldwin (Oct 15)
- Re: Source of Windows PopUp SPAM Ron Trenka (Oct 16)
- Re: Source of Windows PopUp SPAM Michael Katz (Oct 16)
- Re: Source of Windows PopUp SPAM Nick FitzGerald (Oct 17)
- Re: Source of Windows PopUp SPAM Ron Trenka (Oct 16)
- RE: Source of Windows PopUp SPAM H C (Oct 16)
- RE: Source of Windows PopUp SPAM Rob Keown (Oct 16)
- RE: Source of Windows PopUp SPAM H C (Oct 17)
- Re: Source of Windows PopUp SPAM Gary Flynn (Oct 17)
- RE: Source of Windows PopUp SPAM H C (Oct 17)
- Re: Source of Windows PopUp SPAM Richard Akerman (Oct 18)
- Re: Source of Windows PopUp SPAM David Kennedy CISSP (Oct 20)