[Dshield] Bizarre Activity Spurt...

Robert Nelson nelsrob at mts.net
Sat Oct 15 01:29:40 GMT 2005


Yep, more of the same garbage...

It's too bad that enough people fall for this scam to keep these folks in
business.

My Ex got a computer from her brother... He decided to start his own
business building them. Well, he installed XP Pro, but didn't bother to run
Windows Update. So no firewall, no patches... My Ex is not a computer
expert, and me efforts to enlighten her don't seem to sink in. [Must be why
she's my Ex! ;)] And when I went to visit, I noticed some of this crud pop
up on her computer. Thus I had my work cut out for me...

Also too bad anyone can sell computers... But I think we had that discussion
before somewhere, didn't we?

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Chris Brenton
Sent: October 14, 2005 7:38 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Bizarre Activity Spurt...


On Fri, 2005-10-14 at 17:33 -0500, Robert Nelson wrote:
>
> Yessirree Bob, right on time. 20 hits each from 8 different addresses 
> (spoofed of course) for a total of 160 hits. All from port 52624 this 
> time.

Geesh, didn't take long to generate this capture. ;-)

Appears to be some slimebags attempting to dup users into thinking their
registry is corrupted. Some decodes for those who are interested:


U 221.6.163.50:52620 -> 64.222.191.6:1026
 
..(.......................{Z........O....&.7...k...Oz.......................
................FROM........................TO..............<.......<...S
  TOP! WINDOWS REQUIRES IMMEDIATE ATTENTION...Windows has found 51 Critical
System Errors...To fix the errors please do the following:..1. Download Rep
  air Registry Pro from: fix-ms.com.2. Install Repair Registry Pro.3. Run
Repair Registry Pro.4. Reboot your computer..FAILURE TO ACT NOW MAY LEAD TO
S
  YSTEM FAILURE!:..
#
U 202.99.172.160:48970 -> 64.222.191.4:1026
 
..(.......................{Z........O...D...\....'.2.}~.....................
................SECURITY....................ALERT.......................W
  indows has encountered an Internal Error.Your windows registry is
corrupted...We recommend a complete system
scan...Visit..http://FixRegNow.com..To r
  epair now...
#

The URLs in the payload get redirected to: http://www.registryupdate.com/
http://www.repairregistrypro.com/?hop=cleanerreg

Translation: "Our product sucks so bad we need to use FUD to sell it". So I
wonder if these products report bogus problems as well as part of the scam?

Happy trails,
Chris




More information about the list mailing list