[Full-Disclosure] RE: URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines?

From: Patrick Nolan (p.nolan_at_comcast.net)
Date: 02/18/05

  • Next message: Edge, Ronald D: "[Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)"
    To: <full-disclosure@lists.netsys.com>
    Date: Thu, 17 Feb 2005 22:44:11 -0800
    
    

    > -----Original Message-----
    > From: full-disclosure-bounces@lists.netsys.com
    > Sent: Thursday, February 17, 2005 5:01 PM
    > Subject: URLs used by W32/MyDoom-O (aka .AX,.BB) to query search engines?
    >
    > Hello List,
    >
    > Does anyone have a list of query URLs used by W32/MyDoom-O
    > (Sophos name:
    > http://www.sophos.com/virusinfo/analyses/w32mydoomo.html)
    > to dig e-mail addresses from search engines?

    Here are examples of the 4 URLs used by that virus, where %domain% is like
    the comcast.net in my email address =>

    #1 - www.altavista.com

    GET /web/results?q=%domain%+email&kgs=0&kls=0&nbq=20 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: www.altavista.com
    Connection: Keep-Alive

    #2 - www.google.com

    GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+%domain%&num=100 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: www.google.com

    #3 - Search.Lycos.com

    GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+%domain% HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: search.lycos.com

    #4 - search.yahoo.com

    GET /search?p=email+ %domain% &ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
    HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: search.yahoo.com

    > Are these specific enough that there's a chance to catch them
    > in the config of a web proxy (e.g. Squid) and avoid being
    > "blacklisted" by the search engines? (seems to me that Google
    > temporarily blacklists IPs that drown them under such requests)

    You could use an IDP signature to block the requesting traffic.

    > Greets,
    > _Alain_

    Regards,

    Patrick Nolan
    Virus Researcher - Fortinet Inc.
    http://www.fortinet.com

    To Submit A Virus:
    pkzip/winzip password infected to
    submitvirus at fortinet dot com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Edge, Ronald D: "[Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)"

    Relevant Pages