Full Disclosure mailing list archives

RE: URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines?

From: "Patrick Nolan" <p.nolan () comcast net>
Date: Thu, 17 Feb 2005 22:44:11 -0800

-----Original Message-----
From: full-disclosure-bounces () lists netsys com 
Sent: Thursday, February 17, 2005 5:01 PM
Subject: URLs used by W32/MyDoom-O (aka .AX,.BB) to query search engines?

Hello List,

Does anyone have a list of query URLs used by W32/MyDoom-O 
(Sophos name: 
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html)
to dig e-mail addresses from search engines?


Here are examples of the 4 URLs used by that virus, where %domain% is like
the comcast.net in my email address =>

#1 - www.altavista.com

GET /web/results?q=%domain%+email&kgs=0&kls=0&nbq=20 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.altavista.com
Connection: Keep-Alive

#2 - www.google.com

GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+%domain%&num=100 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.google.com

#3 - Search.Lycos.com

GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+%domain% HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: search.lycos.com

#4 - search.yahoo.com

GET /search?p=email+ %domain% &ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: search.yahoo.com

Are these specific enough that there's a chance to catch them 
in the config of a web proxy (e.g. Squid) and avoid being 
"blacklisted" by the search engines? (seems to me that Google 
temporarily blacklists IPs that drown them under such requests)


You could use an IDP signature to block the requesting traffic.

Greets,
_Alain_


Regards, 

Patrick Nolan
Virus Researcher - Fortinet Inc.
http://www.fortinet.com 

To Submit A Virus:
pkzip/winzip password infected to
submitvirus at fortinet dot com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines? Alain Fauconnet (Feb 17)
- RE: URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines? Patrick Nolan (Feb 18)