Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Source of Windows PopUp SPAM

From: H C <keydet89 () yahoo com>
Date: Tue, 15 Oct 2002 17:06:43 -0700 (PDT)




http://www.wired.com/news/technology/0,1282,55795,00.html




Yeah, I saw that.  ;-)


Also, I ran a packet trace on how the product
generating these popups is
working...the popup appears to be delivered as a
single UDP/135 packet...


Interesting.  I've done some testing in my lab.  

I ran a test tonight using the 'net send' command.  It
looked like this:

c:\>net send 10.1.1.10 This is a test

The capture looked like this:
1.  UDP137 Netbios name query
2.  TCP connection setup (1247 -> 139)
3.  Actual text ("This is a test") appeared in a
single TCP packet (1247 -> 139).

This also appeared to be the case in my
proof-of-concept Perl code that launched the
NetMessageBufferSend() API code.

I'll have to download the DA demo and see how that
works. 


I understand that the .exe involved may be
'svchost.exe' or
'services.exe'...depending on OS and version.


On 2K, it's definitely service.exe.  I don't have an
XP machine to query, but I checked on the Net and
found both.  However, MS says service.exe in KB
article Q314056 (applies to XP Pro).  Also,
http://www.theeldergeek.com/messenger.htm says
"services.exe", as well.

I'd be interested in seeing what OS versions have the
Messenger service running under svchost.exe, and which
ones have it running under services.exe.

Carv


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: