Security Incidents mailing list archives

RE: ANI Exploits in Spam

From: "James C. Slora, Jr." <james.slora () phra com>
Date: Tue, 29 Mar 2005 11:25:08 -0500

Britton, Jeff B. wrote Tuesday, March 29, 2005 11:00 AM

I notice the same trend.  ANI files seem to be coming from: 
(some name).sitemynet.com\*.ani

If possible, I would block sitemynet.com (212.101.97.230).


Keep in mind this is only mildly and temporarily effective. Sites and
file names can and probably will change without warning. The ANI files
download sdbot from a totally different address which will also likely
change.

Better blocking might involve screening cursor styles out of email,
reading messages in Plain Text, and ensuring machines are patched for
MS05-002. ANR and ANI exploits are in the wild on the web, used by
adware installers and other miscreants. So the patch is the most
important of all.

Current thread:

ANI Exploits in Spam James C. Slora, Jr. (Mar 29)
- <Possible follow-ups>
- RE: ANI Exploits in Spam Britton, Jeff B. (Mar 29)
- RE: ANI Exploits in Spam James C. Slora, Jr. (Mar 29)
  - RE: ANI Exploits in Spam James C Slora Jr (Mar 30)