RE: UDP port 1026 probe?

["James C Slora Jr" <Jim.Slora () phra com>]

Kero-Chan III wrote Sunday, April 17, 2005 10:08 PM

> I saw a big increase in UDP packets sent to port 1026 (and 1027
occasionally)...

> $ nc -l -p 1026 -u -v
> listening on [any] 1026 ...
> 61.235.154.90: inverse host lookup failed: Unknown host connect to
[my.ip.addr] from
> (UNKNOWN) [61.235.154.90] 36240 (ø{ZÿÐ(c)²ÀO¶æüÿÿÿÿ{STOPALERT77STOP!
WINDOWS REQUIRES 
> IMMEDIATE ATTENTION.

> Windows has found 47 Critical Errors.

> To fix the errors please do the following:
> 1. Download Registry Repair from: www.reg-patch.com 2. Install Registry
Repair 3. Run > Registry Repair 4. Reboot your computer FAILURE TO ACT NOW
MAY LEAD TO DATA LOSS AND > CORRUPTION!

> What is this? ICQ buffer overflow? Or something totally different?

This looks like just Messenger spam. It is designed to pop up a message on
the target's Windows desktop. The messages commonly promote malware
disguised as legitimate utilities. They send commonly these to any or all of
1025 through 1029, since Windows creates a listener on one of the low
dynamic ports. Usually I see an accompanying attempt against UDP 137 with
the same content.



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------