[Dshield] Virus /spammer question: possibility of remote email address lookup??

Gary Warner gar at askgar.com
Tue Mar 2 22:01:03 GMT 2004


I'm getting bounced traffic to my "catchall" address for my domain, and 
I'm trying to figure out if this is viral, or if there is a spammer 
using my domain for a sending address.

If its a virus, I am  AMAZED that it is able to send to so many 
sequential addresses.
It is enough to make me seriously wonder if somehow the virus is doing 
lookups against some spammer database out on the Internet.

Of course, I'm SPECULATING that this is a form of a virus. . . the 
bounces have not included the attachment, and the subject lines are not 
matching my list of known subjects:

Look, for example, at this list of emails sent from 
"kayceficsuer at aksgar.com" by a machine at IP address 81.202.41.233 sent 
a copy of the virus to them.

Message subject was:  Stocks that will doubl3 in @- w3ek

"Kathern Bibr" <pollyjes at yahoo.com>, 
"Audrey Popper" <pou2 at yahoo.com>, 
"Annmarie Syposz" <pough2 at yahoo.com>, 
"Lucie MacDougall" <pouncer2 at yahoo.com>, 
"Lindsy Milston" <pourtoi at yahoo.com>, 
"Joanne Pitts" <poverty43 at yahoo.com>, 
"Margart Barnes" <powagon at yahoo.com>, 
"Marquita Acharyya" <powderedtoastman99 at yahoo.com>, 
"Tennille Bilsborough" <powderridge at yahoo.com>, 
"Isela Walkowiak" <powell_william at yahoo.com>, 
"Maryrose Ceranic" <powens50 at yahoo.com>, 
"Kera McTavish" <power_drake at yahoo.com>, 
"Barrie Dumouchel" <power_plus at yahoo.com>, 
"Joeann Daudin" <powerade_1998 at yahoo.com>, 
"Jeanett Axberg" <powerboy2 at yahoo.com>, 
"Kathlyn Moore-Vigeant" <powerdad at yahoo.com>, 
"Kati Drummond" <powerfoot at yahoo.com>, 
"Yvonne Hiner" <powergirl99 at yahoo.com>, 
"Ma Kendrick" <powerhouse_22 at yahoo.com>, 
"Catharine Takiyanagi" <powerlord0 at yahoo.com>

On another computer (81.60.164.9) mail was sent "from Josettejeabluhy at askgar.com" (this computer is in Spain) to this list:

Message subject was:   -98% of our Stocks Make+ Mon3y


<edag46 at aol.com>, <edaty at aol.com>, <edaureus at aol.com>, <edavene at aol.com>,
<edavidmccall at aol.com>, <edavpp at aol.com>, <edb4u at aol.com>,
<edbadgley at aol.com>, <edbarkk2000 at aol.com>, <edbenoit at aol.com>,
<edbeth7 at aol.com>, <edbone57 at aol.com>, <edbrown50 at aol.com>,
<edburford at aol.com>, <edcarbo at aol.com>, <edcfi at aol.com>,
<edcharnley at aol.com>, <edchong888 at aol.com>, <edckempf at aol.com>,
<edd442 at aol.com>, <edd902 at aol.com>, <eddenmfg at aol.com>,
<eddie1236 at aol.com>, <eddiebo1 at aol.com>, <eddieeddie18 at aol.com>,
<eddieh3 at aol.com>, <eddieimp at aol.com>, <eddiejohn1 at aol.com>,
<eddieket at aol.com>, <eddielee8 at aol.com>, <eddiep500 at aol.com>,
<eddiespr at aol.com>, <eddietiger at aol.com>, <eddilips at aol.com>,<eddoherty1 at aol.com>


The text of this email indicated the reader should see the attached financial report...


The last one that I received so far was sent from "Leonagjgnakuvf at askgar.com" and went to:

"Belle Melfi" <angelhart571 at aol.com>,
"Nichelle Beland" <angelmama2 at aol.com>,
"Karleen Mcgrachan" <angelmel92 at aol.com>,
"Merrilee SonHing" <angelmw18 at aol.com>,
"Cathleen Nss" <angelness79 at aol.com>,
"Arletha Babalola" <angelny130 at aol.com>,
"Serena Reitlingshoefer" <angelofin at aol.com>,
"Stephenie Olsheski" <angelomorr at aol.com>,
"Odette Lavarnway" <angelpaton at aol.com>,
"Lawrence Searl" <angelpg74 at aol.com>,
"Cheryll Fuchs" <angelpre11 at aol.com>,
"Josphine Hann" <angels006 at aol.com>,
"Stefanie Solheim" <angelvixen2k1 at aol.com>,
"Farah Kilzer" <angelwatchovru at aol.com>,
"Yulanda Cornell" <angelwhorns50 at aol.com>,
"Lawana Schierbaum" <angelwings0310 at aol.com>,
"Robert Liang" <angelwuv55 at aol.com>,
"Corina Dowling" <angemcclu at aol.com>,
"Julietta Cricker" <angepourtoi62 at aol.com>,
"Ghislaine Macfarlane" <angermgmt20 at aol.com>


With the subject: 
Stocks with littl-3 risk_ in 04

What kind of person would have TWENTY email addresses in the "userid= pol - pow" range on yahoo.com sitting on their hard drive?
or THIRTY-FIVE email addresses in the range "userid = eda - edd" on aol.com, or TWENTY email in the range "angelh - angelm" on aol.com?

Would the virus REALLY search ALL the email addresses on their machine, and then alphabetize them by email address and send in blocks of 20 or 35 in alphabetical order?

I can reach no rational conclusion other than to suggest that there is an "online lookup" function built into the virus.

Has any researcher found such code?

The first was sent from 81.202.41.233, at 02MAR04 12:46:52 -0800
The next was sent from 217.99.65.71, at 02MAR04 14:46:51 -0500
The last was sent from 81.60.164.9, at 02MAR04 14:53:02 -0500

Could this be an indication of a remote-control spam program in use?  I'm very confused by this one!

_-_
gary warner
birmingham, alabama






More information about the list mailing list