Re: [Full-Disclosure] Microsoft AntiSpyware - First Impression

Sat, 08 Jan 2005 09:35:35 -0800 

KF (lists) wrote:
 
>>>>>>>>>>>>>>>>>>>>
Message: 11
Date: Fri, 07 Jan 2005 11:19:56 -0500
From: "KF (lists)" <[EMAIL PROTECTED]>
Subject: Re: [Full-Disclosure] Microsoft AntiSpyware - First
        Impressions
To: full-disclosure@lists.netsys.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=windows-1252; format=flowed

Do a software update check with this thing and you get 
GIANTAntiSpywareMain.exe  listening on port 2571 until the software is 
closed. Feel free to beat on and fuzz that port fellas. =]
-KF
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


I found this with tcpview:
 
 
GIANTAntiSpywareMain.exe:3424 TCP p4fast.xxxx.com:3256 216.32.240.26:http
ESTABLISHED 
GIANTAntiSpywareMain.exe:3424 UDP p4fast:3255 *:*  

OrgName:    Savvis 
OrgID:      SAVVI-2
Address:    3300 Regency Parkway
City:       Cary
StateProv:  NC
PostalCode: 27511
Country:    US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange:   216.32.0.0 - 216.35.255.255 
CIDR:       216.32.0.0/14 
NetName:    SAVVIS
NetHandle:  NET-216-32-0-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS01.SAVVIS.NET
NameServer: DNS02.SAVVIS.NET
NameServer: DNS03.SAVVIS.NET
NameServer: DNS04.SAVVIS.NET
Comment:    
RegDate:    1998-07-30
Updated:    2004-10-07


GET / HTTP/1.1 Host: 216.32.240.26 Connection: close User-Agent: Sam Spade
1.14  HTTP/1.1 403 Forbidden Content-Length: 218 Content-Type: text/html
Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MicrosoftOfficeWebServer:
5.0_Pub Date: Sat, 08 Jan 2005 16:40:07 GMT Connection: close

If you look at for instance system process, BHO area and select an unknown,
an option to "send to spynet for anayliss" is there. If you select this, it
reports to the 216.31.240.26 also.

On a funny note, under ActiveX area it list the microsoft update as this:

"Microsoft Windows Update Control Engine
This is an unknown ActiveX

File path: C:\WINDOWS\System32\iuengine.dll
Description: Windows Update Control Engine
Publisher: Microsoft Corporation
Last modified: Tue, 26 Aug 2003 01:19:52 GMT
Installed version: 5,4,3790,14
Download location:
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37921.827546
2963"

It does look as if they jumped very quickly to launch this software!


 
thank you
Randall M
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to