On Tue, 02 Dec 2003 10:16:23 +0100 Nicob <[EMAIL PROTECTED]> wrote: > I captured some packets and it appears to be (only) a Windows Messenger > "spam" for a "penis enlargement" product.
I caught one last night scanning 1026/UDP and 1030/UDP and doing popups directing people to www.PopAdStop.com. The 1026/UDP and related traffic is *definitely* popup spam related. At this point, I suspect that the malware is getting onto computers via .HTA mime or ADODB.Stream vulnerabilites in IE. However, I have no proof of this yet. BTW, I did `wget http://www.PopAdStop.com` a little bit ago. Looks like they could win an obfuscated JavaScript contest. Paul -- Paul Dokas [EMAIL PROTECTED] ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
