New Mass Mailer
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: New Mass Mailer

  1. #1

    New Mass Mailer

    I keep getting this:
    Hi! I am looking for new friends.

    My name is Jane, I am from Miami, FL.

    See my homepage <http://somerandomip:1639/index.htm> with my weblog and
    last webcam photos!

    See you!
    Is this anything new? The email itself does not seem malicious, but I bet dollars to donuts the IP/page it links to is. If anyone has any of these emails, and can get the source of the page it links to, I'd like to see it. (every one I have tried has timed out.) I'm interested in how it is exploiting people.

    Thanks!

    edit (there are many variations on this, including attachments w/o executable code)

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I haven't gotten a email like that.

    I'm about to reformat this box though send me that link and I'll grab the source for you.
    =

  3. #3
    Unfortunately I tossed all the emails. They aren't even in the trash, for some reason. :/

    None of them had a working link, each one is probably being DDoSed by people trying to do the same thing. I have a feeling they are zombie boxes being linked. Anyway, I'm sure to get another one, expect a pm if you are interested. I just gotta catch it early enough where the link still works , then I can telnet to it and grab the source.

  4. #4
    Member
    Join Date
    Dec 2003
    Posts
    97
    It's a new variant of mydoom, which exploits the as-yet unpatched Internet Explorer IFRAME vuln. You can find more info from Symantec:

    http://securityresponse.symantec.com...oom.ah@mm.html

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Thanks Timmy77, I was infected partially on a friends system with something similiar to it and I couldn't figure out whether it was new or old and what to do with it.
    Space For Rent.. =]

  6. #6
    Member
    Join Date
    Dec 2003
    Posts
    97
    Happy I could help.

    Incidentally, another mydoom just popped up, very similar to this one, just with different subject lines in the e-mail.

    http://securityresponse.symantec.com...oom.ai@mm.html

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hmm, you put it best when you said they were "different variant's of mydoom". That was the best way to put it and I don't think we've seen the last of them personally. I think we'll see several similiar to it just with different subject lines/messages.
    Space For Rent.. =]

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    On the issue of the new Mydoom AI.....

    This is a hard one to stop at the perimeter. It's not an attachment but rather a URL. I'm trying to determine if my firewall can filter URL's in SMTP by content type without screwing the whole pooch. In the meantime this is definitely worth a warning to the users.

    I suspected that the URL would contain an IP address rather than an FQDN that would point to an owner and it appears that others on this thread have confirmed my expectation.... it's something the users can understand.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    And there we go again with the naming inconsistencies (whoever posted about it not too long ago )...

    Timmy's first link - Symantec's site: MyDoom.AH
    According to the Symantec site, Sophos calls it Bofra-B. (and MyDoom.AI is Bofra-A)...
    But McAfee calls the AI variant AG, CA only got to AF, Kaspersky only AD...

    And Sophos calls this interesting one (the one with the attachments) AG, while Symantec calls it AF, and Kaspersky AA... jeebus.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Symantec is calling it AI....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •