[Dshield] port 1026-1031 update

Johannes B. Ullrich jullrich at sans.org
Wed Dec 3 21:02:13 GMT 2003

> We concur: There doesn't seem to be anything malicious behind the 
> obfuscation on the web page. However, I continue to suspect that the 
> offered download is malicious. I know of one group that's working to 
> reverse engineer it. So, perhaps we'll soon know.

Well, I do have a few reports from people that say they did see the
outbound 1026-1031 traffic after they installed "PopupadStop". I
installed it myself, and don't see the traffic. However, it does a
'version check' as it is installed, and it is possible that it 
downloaded extra pieces in the past.

Other than that, we do have now a connection between the two-byte
UDP port 1026-1031 traffic and popup spam. If your system responds 
to the two zero byte traffic, a popup spam will be send.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031203/71a9cbda/attachment.bin

More information about the list mailing list