Security Incidents mailing list archives
RE: ANI Exploits in Spam -> more info
From: "Hubbard, Dan" <dhubbard () websense com>
Date: Wed, 30 Mar 2005 07:22:13 -0800
Not to say there are / will be other variants but to date all sites we have seen to date have the same code which goes to: http:// 70.84.199.74/ hi.exe Which is a wootbot AKA Sdbot. -----Original Message----- From: James C. Slora, Jr. [mailto:james.slora () phra com] Sent: Tuesday, March 29, 2005 8:25 AM To: incidents () securityfocus com Subject: RE: ANI Exploits in Spam Britton, Jeff B. wrote Tuesday, March 29, 2005 11:00 AM
I notice the same trend. ANI files seem to be coming from: (some name).sitemynet.com\*.ani
If possible, I would block sitemynet.com (212.101.97.230).
Keep in mind this is only mildly and temporarily effective. Sites and file names can and probably will change without warning. The ANI files download sdbot from a totally different address which will also likely change. Better blocking might involve screening cursor styles out of email, reading messages in Plain Text, and ensuring machines are patched for MS05-002. ANR and ANI exploits are in the wild on the web, used by adware installers and other miscreants. So the patch is the most important of all.
Current thread:
- RE: ANI Exploits in Spam -> more info Hubbard, Dan (Mar 30)