[Dshield] Windows Messenger Popup Spam on UDP Port 1026

R Shady RShady at stny.rr.com
Sat Jun 21 10:21:25 GMT 2003


In Win9x/ME Windows Messenger, ironically, is called
WinPopUp.  WinPopUp can be uninstalled-see:
 
http://www.wown.com/j_helmig/winpopup.htm

Joe Stewart wrote:

>Windows Messenger Popup Spam on UDP Port 1026
>
>URL: http://www.lurhq.com/popup_spam.html
>Release Date: June 20, 2003
>Author: Joe Stewart
>
>LURHQ Corporation has observed traffic to large blocks of IP addresses
>on UDP port 1026. This traffic started around June 18, 2003 and has
>been constant since that time. LURHQ analysts have determined that the
>source of the traffic is spammers who have discovered that the Windows
>Messenger service listens for connections on port 1026 as well as the
>more widely-known port 135. Windows Messenger has been a target for
>spammers since late last year, because it allows anonymous pop-up
>messages to be displayed on any Windows system running the messenger
>service. Due to widespread abuse, many ISPs have moved to block
>inbound traffic on UDP port 135. It appears the spammers have adapted,
>so ISPs are urged to block UDP port 1026 inbound as well.
>
>It is possible to disable the messenger service on some platforms
>following the instructions below. However, the fact that you can
>receive these messages points to the fact that your computer is
>unsecured and vulnerable to other possible attacks in the future.
>Disabling the messenger service will stop the pop-up spam, but will
>not protect you in any other way. Home users are encouraged to install
>personal firewall software to block unauthorized connections to their
>computers. Users are discourged from purchasing specialized Windows 
>Messenger popup blocking software as it is often sold by the same 
>company that is sending the popups.
>
>To disable the Messenger Service, follow the instructions for your
>Windows version:
>
>Windows XP Home
>  * Click Start, then click Control Panel.
>  * Double-click Performance and Maintenance.
>  * Double-click Administrative Tools.
>  * Double-click Services.
>  * Scroll down, highlight and right-click on Messenger and choose
>    Properties
>  * In the "Startup type" list, choose Disabled.
>  * Click Stop, and then click OK.
>
>Windows XP Professional
>  * Click Start, then click Control Panel.
>  * Double-click Administrative Tools
>  * Double-click Services
>  * Scroll down, highlight and right-click on Messenger and choose
>    Properties
>  * In the "Startup type" list, choose Disabled.
>  * Click Stop, and then click OK.
>
>Windows 2000/NT
>  * Click Start, go to Settings, then click Control Panel.
>  * Double-click Administrative Tools.
>  * Double-click Service.
>  * Double-click Messenger.
>  * In the "Startup type" list, choose Disabled.
>  * Click Stop, and then click OK.
>
>Windows 98/ME
>The Windows Messenger Service cannot be disabled
>
>--
>
>About LURHQ Corporation
>LURHQ Corporation is the trusted provider of Managed Security
>Services. Founded in 1996, LURHQ has built a strong business
>protecting the critical information assets of more than 400 customers
>by offering managed intrusion prevention and protection services.
>LURHQ's 24X7 Incident Handling capabilities enable customers to
>enhance their security posture while reducing the costs of managing
>their security environments. LURHQ's OPEN Service Delivery(TM)
>methodology facilitates a true partnership with customers by providing
>a real time view of the organization's security status via the
>Sherlock Enterprise Security Portal. For more information visit
>http://www.lurhq.com/
>
>Copyright (c) 2003 LURHQ Corporation. Permission is hereby granted for
>the redistribution of this document electronically. It is not to be
>altered or edited in any way without the express written consent of
>LURHQ Corporation. If you wish to reprint the whole or any part of
>this document in any other medium excluding electronic media, please
>e-mail advisories at lurhq.com for permission.
>
>Disclaimer
>The information within this paper may change without notice. Use of
>this information constitutes acceptance for use in an AS IS condition.
>There are NO warranties implied or otherwise with regard to this
>information. In no event shall the author be liable for any damages
>whatsoever arising out of or in connection with the use or spread of
>this information.
>
>Feedback
>Updates and/or comments to:
>LURHQ Corporation
>http://www.lurhq.com/
>advisories at lurhq.com
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>





More information about the list mailing list