[Dshield] Bizarre Activity Spurt...
Freek de Kruijf
f.de.kruijf at hetnet.nl
Mon Oct 17 13:06:03 GMT 2005
I captured a number of these packages. I received these packages on the
following ports; the number in the second column is the count for Oct 16:
I analysed a small number of these packages on most of these ports. All had
the format of the Windows Messenger and the message was:
"Windows has encountered an Internal Error
"Your windows registry is corrupted.
"We recommend a complete system scan.
"To repair now!
However in the above, the URL varies.
I have also seen:
The last does not have an IP-address anymore. It was 18.104.22.168.
www.fixthereg.com has the IP-addresses:
www.fixregnow.net had the IP-address: 22.214.171.124
Now it is: 126.96.36.199
www.cleanthispc.com has the IP-address: 188.8.131.52
All the above URL refer to the URL http://hop.clickbank.net/<varies>
hop.clickbank.net has IP-address: 184.108.40.206
Also I found a prefix in front of .hop.clickbank.net, but any prefix refers
to the same IP-address.
However these URL's also are referals to:
http://www.registrycleaner32.com with IP-address 220.127.116.11
http://winregcleaner.com with IP-address 18.104.22.168
http://www.myspywarecleaner.com with IP-address 22.214.171.124
The IP-addresses for the URL's in the Windows Message all belong to the ISP
Internap Network Services and the company
Address: 11807 NE 99th Street, Suite 1100
The hop.clickbank.net (domain) is owned by
Click Sales, Inc. (CLICKBANK-NET-DOM)
915 W. Jefferson Street
Boise, ID 83702
IP-address is owned by:
OrgName: COLOC8 INC.
Address: Administrative Offices
Address: 917 Lusk Street, 3rd Floor
The last 3 IP-addresses have all different owners. Only one 126.96.36.199 is
also owned by the ISP Internap Network Services, but the owner is
Address: 16771 NE 80th Street
Beelaerts ICT Consultancy
More information about the list