[unisog] anyone else seeing lots of popup spam/malware?

Russell Fulton r.fulton at auckland.ac.nz
Wed Oct 26 04:51:23 GMT 2005


Over the last couple of weeks we have noticed an increasing amount of
UDP traffic with a source port of 0 and destination port of 102x (
x=5,6) packets are always a variation of this:

..x.......................{Z........O.......................
................................Microsoft...#.......#...info
rm you about a virus detection..W.......W...WINDOWS REQUIRES
 IMMEDIATE ATTENTION...Windows has found CRITICAL SYSTEM ERR
ORS..To fix the errors please do the following:.1. Download
Registry Repair from: http://www.e-regclean.com for a .FREE
registry scan..2. Install Registry Repair.3. Run Registry Re
pair.4. Reboot your computer.FAILURE TO ACT NOW MAY LEAD TO
DATA LOSS AND CORRUPTION!.......

which I assume is a popup message.

URL varies but always seems to redirect to
http://www.registrycleaner32.com/?hop=softclean

which does not respond.

All these packets hit the bit bucket at our perimeter firewall so the
are not currently a threat to us.  The do however have me puzzled.

Some more oddities:

Over the last 3 days we have seen arount 180,000 to our /16 but only
about 1600 IPs were targeted (up from just over 1000 for the last 24
hours). There were slightly over 5500 source addresses (these may well
be -- um... almost certainly are-- spoofed).

Packets come in irregular bursts of about 20-100 packets with a single
source IP.

The system seems very badly implemented, but if it is improved it could
prove to be a problem.

Cheers, Russell


More information about the unisog mailing list