[Dshield] Friendgreetings.com mass emailer

Brenna Primrose drxlecter at phreaker.net
Fri Oct 25 20:20:11 GMT 2002

Well it looks like the IP is just the server from which
the MSI installer is pulled.  The malware needs this on machines without
the built-in installer package. 

AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t at creighton.edu 
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Russell Washington
Sent: Friday, October 25, 2002 12:30 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] Friendgreetings.com mass emailer

www .friendgreetings.com =
ARIN information:

Search results for: ! NET-65-89-168-0-1 

CustName:   Free Yankee
Address:    11778 Election Draper UT 84020
Country:    US
RegDate:    2002-10-17
Updated:    2002-10-17

NetRange: -
NetName:    BRW-9924-FREEYANKEE
NetHandle:  NET-65-89-168-0-1
Parent:     NET-65-88-0-0-1
NetType:    Reassigned
RegDate:    2002-10-17
Updated:    2002-10-17

# ARIN Whois database, last updated 2002-10-24 19:05

We've blackholed the entire Class C.  Following the install process we
communications with,, (an AT&T
Worldnet address, also blackholed now).

We also saw comms with, a Microsoft address; we didn't
blackhole this one, figuring it might be in the mix due to certificate
revocation list checking during the install or something.

More information about the list mailing list