RE: ANI Exploits in Spam -> more info

["Hubbard, Dan" <dhubbard () websense com>]

Not to say there are / will be other variants but to date all sites we
have seen to date have the same code which goes to: http://
70.84.199.74/ hi.exe

Which is a wootbot AKA Sdbot.

-----Original Message-----
From: James C. Slora, Jr. [mailto:james.slora () phra com] 
Sent: Tuesday, March 29, 2005 8:25 AM
To: incidents () securityfocus com
Subject: RE: ANI Exploits in Spam

Britton, Jeff B. wrote Tuesday, March 29, 2005 11:00 AM
> I notice the same trend.  ANI files seem to be coming from: 
> (some name).sitemynet.com\*.ani

> If possible, I would block sitemynet.com (212.101.97.230). 

Keep in mind this is only mildly and temporarily effective. Sites and
file names can and probably will change without warning. The ANI files
download sdbot from a totally different address which will also likely
change.

Better blocking might involve screening cursor styles out of email,
reading messages in Plain Text, and ensuring machines are patched for
MS05-002. ANR and ANI exploits are in the wild on the web, used by
adware installers and other miscreants. So the patch is the most
important of all.