[Dshield] Friendgreetings.com mass emailer

Brenna Primrose drxlecter at phreaker.net
Fri Oct 25 20:20:11 GMT 2002


Well it looks like the IP 12.107.125.99 is just the server from which
the MSI installer is pulled.  The malware needs this on machines without
the built-in installer package. 

http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t at creighton.edu 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Russell Washington
Sent: Friday, October 25, 2002 12:30 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] Friendgreetings.com mass emailer

www .friendgreetings.com = 65.89.168.4
ARIN information:

Search results for: ! NET-65-89-168-0-1 


CustName:   Free Yankee
Address:    11778 Election Draper UT 84020
Country:    US
RegDate:    2002-10-17
Updated:    2002-10-17

NetRange:   65.89.168.0 - 65.89.168.255
CIDR:       65.89.168.0/24
NetName:    BRW-9924-FREEYANKEE
NetHandle:  NET-65-89-168-0-1
Parent:     NET-65-88-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2002-10-17
Updated:    2002-10-17

# ARIN Whois database, last updated 2002-10-24 19:05

We've blackholed the entire Class C.  Following the install process we
noted
communications with 65.89.168.4, 65.89.168.14, 12.107.125.99 (an AT&T
Worldnet address, also blackholed now).

We also saw comms with 207.46.230.220, a Microsoft address; we didn't
blackhole this one, figuring it might be in the mix due to certificate
revocation list checking during the install or something.






More information about the list mailing list