> -----Original Message----- > From: [EMAIL PROTECTED] > Sent: Thursday, February 17, 2005 5:01 PM > Subject: URLs used by W32/MyDoom-O (aka .AX,.BB) to query search engines? > > Hello List, > > Does anyone have a list of query URLs used by W32/MyDoom-O > (Sophos name: > http://www.sophos.com/virusinfo/analyses/w32mydoomo.html) > to dig e-mail addresses from search engines?
Here are examples of the 4 URLs used by that virus, where %domain% is like the comcast.net in my email address => #1 - www.altavista.com GET /web/results?q=%domain%+email&kgs=0&kls=0&nbq=20 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.altavista.com Connection: Keep-Alive #2 - www.google.com GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+%domain%&num=100 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.google.com #3 - Search.Lycos.com GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+%domain% HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: search.lycos.com #4 - search.yahoo.com GET /search?p=email+ %domain% &ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: search.yahoo.com > Are these specific enough that there's a chance to catch them > in the config of a web proxy (e.g. Squid) and avoid being > "blacklisted" by the search engines? (seems to me that Google > temporarily blacklists IPs that drown them under such requests) You could use an IDP signature to block the requesting traffic. > Greets, > _Alain_ Regards, Patrick Nolan Virus Researcher - Fortinet Inc. http://www.fortinet.com To Submit A Virus: pkzip/winzip password infected to submitvirus at fortinet dot com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
