[Dshield] Friendgreetings.com mass emailer

Russell Washington russ.washington at vaultsentry.com
Fri Oct 25 20:38:34 GMT 2002


Interesting.  Still sounds fishy tho, given that the 12.x range is assigned
to AT&T Worldnet.  Maybe a DSL user or something? (scratching head)

-----Original Message-----
From: Brenna Primrose [mailto:drxlecter at phreaker.net] 
Sent: Friday, October 25, 2002 1:20 PM
To: list at dshield.org
Subject: RE: [Dshield] Friendgreetings.com mass emailer


Well it looks like the IP 12.107.125.99 is just the server from which the
MSI installer is pulled.  The malware needs this on machines without the
built-in installer package. 

http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t at creighton.edu 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf Of
Russell Washington
Sent: Friday, October 25, 2002 12:30 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] Friendgreetings.com mass emailer

www .friendgreetings.com = 65.89.168.4
ARIN information:

Search results for: ! NET-65-89-168-0-1 


CustName:   Free Yankee
Address:    11778 Election Draper UT 84020
Country:    US
RegDate:    2002-10-17
Updated:    2002-10-17

NetRange:   65.89.168.0 - 65.89.168.255
CIDR:       65.89.168.0/24
NetName:    BRW-9924-FREEYANKEE
NetHandle:  NET-65-89-168-0-1
Parent:     NET-65-88-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2002-10-17
Updated:    2002-10-17

# ARIN Whois database, last updated 2002-10-24 19:05

We've blackholed the entire Class C.  Following the install process we noted
communications with 65.89.168.4, 65.89.168.14, 12.107.125.99 (an AT&T
Worldnet address, also blackholed now).

We also saw comms with 207.46.230.220, a Microsoft address; we didn't
blackhole this one, figuring it might be in the mix due to certificate
revocation list checking during the install or something.



_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list