[Dshield] Friendgreetings.com mass emailer

Russell Washington russ.washington at vaultsentry.com
Fri Oct 25 20:38:34 GMT 2002

Interesting.  Still sounds fishy tho, given that the 12.x range is assigned
to AT&T Worldnet.  Maybe a DSL user or something? (scratching head)

-----Original Message-----
From: Brenna Primrose [mailto:drxlecter at phreaker.net] 
Sent: Friday, October 25, 2002 1:20 PM
To: list at dshield.org
Subject: RE: [Dshield] Friendgreetings.com mass emailer

Well it looks like the IP is just the server from which the
MSI installer is pulled.  The malware needs this on machines without the
built-in installer package. 

AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t at creighton.edu 
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf Of
Russell Washington
Sent: Friday, October 25, 2002 12:30 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] Friendgreetings.com mass emailer

www .friendgreetings.com =
ARIN information:

Search results for: ! NET-65-89-168-0-1 

CustName:   Free Yankee
Address:    11778 Election Draper UT 84020
Country:    US
RegDate:    2002-10-17
Updated:    2002-10-17

NetRange: -
NetName:    BRW-9924-FREEYANKEE
NetHandle:  NET-65-89-168-0-1
Parent:     NET-65-88-0-0-1
NetType:    Reassigned
RegDate:    2002-10-17
Updated:    2002-10-17

# ARIN Whois database, last updated 2002-10-24 19:05

We've blackholed the entire Class C.  Following the install process we noted
communications with,, (an AT&T
Worldnet address, also blackholed now).

We also saw comms with, a Microsoft address; we didn't
blackhole this one, figuring it might be in the mix due to certificate
revocation list checking during the install or something.

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list