Here is what I have found http://and.doxdesk.com/parasite/Cytron.html and the file inside is potd.dll It downloads the file trop.xml, from one of two sites, with the following in the body, typical adware <?xml version="1.0"?> <trop> <operating-parameters> <repository>http://66.230.217.196/cybersex/trop.xml> <repository>http://216.187.109.101/cybersex/trop.xml> </operating-parameters> <targeting-rule hit-count="5" interleave-factor="8" url="http://66.230.217.196/cybersex/mn/mensnetwork.html"> <disabled-by cookie="MN" value="MN" url="http://www.themensnetwork.com/"/> <key-phrase weight="3" presence="required">gay</key-phrase> <key-phrase weight="1">sex</key-phrase> <key-phrase weight="1">XXX</key-phrase> <key-phrase weight="1">videos</key-phrase> <key-phrase weight="1">men</key-phrase> <key-phrase weight="2">ass</key-phrase> <key-phrase weight="3">anal</key-phrase> <key-phrase weight="3">cocks</key-phrase> <key-phrase weight="3">porn</key-phrase> <key-phrase weight="1">guys</key-phrase> </targeting-rule> <targeting-rule hit-count="5" interleave-factor="8" url="http://66.230.217.196/cybersex/sv/studvision.html"> <disabled-by cookie="SV" value="SV" url="http://www.studvision.com/"/> <key-phrase weight="3" presence="required">gay</key-phrase> <key-phrase weight="1">sex</key-phrase> <key-phrase weight="1">XXX</key-phrase> <key-phrase weight="1">videos</key-phrase> <key-phrase weight="1">men</key-phrase> <key-phrase weight="2">ass</key-phrase> <key-phrase weight="3">anal</key-phrase> <key-phrase weight="3">cocks</key-phrase> <key-phrase weight="3">porn</key-phrase> <key-phrase weight="1">guys</key-phrase> </targeting-rule> <targeting-rule hit-count="4" interleave-factor="8" url="http://www.xtremehardcore.com/ad/index.cfm"> <disabled-by cookie="XHC" value="XHC" url="http://www.xtremehardcore.com/"/> <key-phrase weight="2">hot sex</key-phrase> <key-phrase weight="2">hardcore</key-phrase> <key-phrase weight="2">extreme hardcore</key-phrase> <key-phrase weight="2">fucking</key-phrase> <key-phrase weight="2">XXX</key-phrase> <key-phrase>nudity</key-phrase> <key-phrase presence="required">sex</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="5" interleave-factor="8" url="http://66.230.217.196/cybersex/twyw/twyw.html"> <disabled-by cookie="TNYW" value="TNYW" url="http://www.tnyw.com/"/> <key-phrase weight="2">hot sex</key-phrase> <key-phrase>sex</key-phrase> <key-phrase weight="2">hardcore</key-phrase> <key-phrase weight="2">extreme hardcore</key-phrase> <key-phrase weight="2">fucking</key-phrase> <key-phrase weight="2">XXX</key-phrase> <key-phrase>nudity</key-phrase> <key-phrase weight="2">Hardcore</key-phrase> <key-phrase>Sex</key-phrase> <key-phrase weight="4">centerfold</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="3" interleave-factor="8" url="http://66.230.217.196/cybersex/soy/spyonyou.html"> <disabled-by cookie="SOY" value="SOY" url="http://www.spyonyou.com/"/> <disabled-by cookie="SOY" value="SOY" url="http://spyonyou.cybersexent.com/"/> <key-phrase>reality</key-phrase> <key-phrase>TV</key-phrase> <key-phrase>spy</key-phrase> <key-phrase>voyeur</key-phrase> <key-phrase>big brother</key-phrase> <key-phrase>webcam</key-phrase> <key-phrase>videocam</key-phrase> <key-phrase>cam</key-phrase> <key-phrase weight="2">sex</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="3" interleave-factor="8" url="http://66.230.217.196/cybersex/nc/nitechat.html"> <key-phrase presence="illegal">NC member</key-phrase> <key-phrase>dating</key-phrase> <key-phrase>relationship</key-phrase> <key-phrase>love</key-phrase> <key-phrase>personals</key-phrase> <key-phrase>videoconference</key-phrase> <key-phrase>videoconfrencing</key-phrase> <key-phrase>video conferencing</key-phrase> <key-phrase>romance</key-phrase> <key-phrase>cupid</key-phrase> </targeting-rule> <targeting-rule hit-count="4" interleave-factor="5" url="http://66.230.217.196/cybersex/ce/ce.html"> <key-phrase weight="3">hardcore</key-phrase> <key-phrase weight="2">sex</key-phrase> <key-phrase weight="2">girls</key-phrase> <key-phrase weight="1">pussy</key-phrase> <key-phrase weight="1">sluts</key-phrase> <key-phrase weight="2">videos</key-phrase> <key-phrase weight="3">horny</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="4" interleave-factor="5" url="http://66.230.217.196/cybersex/ce/clubx.html"> <disabled-by cookie="ClubX" value="ClubX" url="http://www.mainentrypoint.com/"/> <key-phrase weight="3">hardcore</key-phrase> <key-phrase weight="2">sex</key-phrase> <key-phrase weight="2">girls</key-phrase> <key-phrase weight="1">pussy</key-phrase> <key-phrase weight="1">sluts</key-phrase> <key-phrase weight="2">videos</key-phrase> <key-phrase weight="3">horny</key-phrase> <key-phrase weight="3">lesbian</key-phrase> <key-phrase weight="3">lesbians</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> </trop> On 28 Sep 2002 at 5:28, Jonathan A. Zdziarski wrote: From: "Jonathan A. Zdziarski" <jonathanat_private> To: <incidentsat_private> Copies to: <abuseat_private> Subject: RE: E-Card Remote Code Execution Scam Date sent: Sat, 28 Sep 2002 05:28:48 -0400 Mailer: Microsoft Outlook, Build 10.0.2616 > FYI I was incorrect about this originating from yahoo's mail servers. > Hey it's 5am here. At closer look, it appears the sender only did a > HELO using a yahoo mail server's hostname. The actual headers are > below. Ironically linkserve.com's website advertises as "Nigeria's top > ISP". > > Received: from linkserve.com ([195.166.232.2]) > by elijah.cafejesus.com (8.11.6/8.11.4) with ESMTP id > g8S4s1b07090 > for <jonathanat_private>; Sat, 28 Sep 2002 00:54:02 -0400 > (EDT) > Received: from [208.40.204.2] (HELO mx1.mail.yahoo.com) > by linkserve.com (CommuniGate Pro SMTP 3.5.9) > with ESMTP id 1423750; Sat, 28 Sep 2002 05:43:24 -0100 > Message-ID: <00006b79470e$0000264c$00006c7eat_private> > To: <Undisclosed.Recipients> > From: egreetingsat_private > Subject: DSPAM: You have recieved and E-Card ]31624 > Date: Fri, 27 Sep 2002 21:42:54 -1900 > MIME-Version: 1.0 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > X-Priority: 1 > X-MSMail-Priority: High > MIME-Version: 1.0 > X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.3.2 SunOS 5.7 sun4u sparc > Sensitivity: Confidential > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Robertson Now at the Nation Research Council. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 29 2002 - 12:59:35 PDT