To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi, I was able to get several EXE files. It's changing almost every hour, they use a kind of polymorphic packer.
The web-component of this StormWorm variant is distributed by the following domains: mailfreepostcards.com postcardsbargain.com 2007postcards.com ecolorpostcards.com bestnetpostcards.com freewebpostcards.com They all resolve to 209.123.8.198 at the moment. The loader page could be "funvideo.html", "clip.html" or "winner.html". Try to google for "Dont forget to see http" (with quotes). More info here: http://www.symantec.com/enterprise/security_response/weblog/2007/02/mespam_infecting_web_20_with_l.html Amazingly some Nigerian spammer gets infected as well (http://www.joewein.net/blog/?p=12) or is using an infected machine in some Internet Cafe. :) EF ----- Original Message ----- From: Jake Mailinglists [mailto:[EMAIL PROTECTED] To: Elia Florio [mailto:[EMAIL PROTECTED], [email protected] Sent: Thu, 01 Mar 2007 14:37:20 +0100 Subject: Re: [botnets] "mailfreepostcards.com" - spreading on the web > Hello, > I believe they have modded the file for "fun.exe" as well as an null-padded > html loader file "fun.html". Also on the same site. However, if you try to > pull either exe file I get a redirect to a "secsup.org" mirror file... you? > > > Jake > > > On 2/26/07, Elia Florio <[EMAIL PROTECTED]> wrote: > > > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > ---------- > > Hi, > > looks like a component dropped by the StormWorm/Peacomm (rsvp32_2.dll) is > > infecting the web by injecting a malicious link to bulletin boards, forum, > > blogs, etc. > > > > Google for: "mailfreepostcards.com" to find some infected pages. > > Infected users won't notice anything because the trojan acts as LSP and > > injection > > works at tcp/ip level. > > > > EF > > > > > > _______________________________________________ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law > > enforcement upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
