[Dshield] port 1026-1031 update

Bill McCarty bmccarty at pt-net.net
Wed Dec 3 15:52:42 GMT 2003

Hi all,

The traffic has markedly dropped off, though not entirely disappeared, 
today. My own observations are consistent with DShield reports in this 

The traffic became a topic of discussion on another email list. One 
enterprising participant on that list configured a system to reply to the 
0x0000 probe, which caused the source to respond with a pop-up spam 
message. The message invited its recipient to visit the web site 
www.popadstop.com and download a free program alleged to block pop-up spam. 
I speculate that the program is a Trojan horse. I installed it on a 
sacrificial PC, but haven't since noticed any unusual network activity from 
the PC. The PC is behind a firewall and therefore may not be able to 
communicate with its master, if indeed one exists.

The web page offering the program contains obfuscated Javascript that 
conceals its workings. Another list participant and I have independently 
made progress toward unobfuscating the code. But, neither of us yet has a 
complete decode.


Bill McCarty

More information about the list mailing list