[unisog] anyone else seeing lots of popup spam/malware?

Pete Hickey pete at shadows.uottawa.ca
Wed Oct 26 19:08:34 GMT 2005

On Wed, Oct 26, 2005 at 05:51:23PM +1300, Russell Fulton wrote:
> Over the last couple of weeks we have noticed an increasing amount of
> UDP traffic with a source port of 0 and destination port of 102x (
> x=5,6) packets are always a variation of this:

I started seeing them in early August, and we've been getting
them steadily since then.  Heck, probably 5% of Argus's logs
are that...  Here was one of our messages:

      Microsoft Windows has encountered an Internal Error.
      kYour windows registry is corrupted.  We recommend a
      complete system scan.  Visit  http://FixReg32.com. To repair now.

> URL varies but always seems to redirect to
> http://www.registrycleaner32.com/?hop=softclean
> which does not respond.

It did for me then, and does now.  You can 'get a scan', or
buy something.  TO get a scan, you download and run a file called
install.exe.  If you want to buy ..whatever.. they start asking
for your credit card info before even asking for an address.

> All these packets hit the bit bucket at our perimeter firewall so the
> are not currently a threat to us.  The do however have me puzzled.

That was why I started trapping them and looking at the content.
At first, I though it was popup spam.

Pete Hickey                                       /~\  The ASCII
The University of Ottawa                          \ /  Ribbon Campaign
Ottawa, Ontario                                    X   Against HTML
Canada                                            / \  Email!

More information about the unisog mailing list