weird udp packets blocked

Discussion in 'LnS English Forum' started by tristantzara, Aug 8, 2006.

Thread Status:
Not open for further replies.
  1. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    hi,

    recently there were a lot of blocked udp packets in my log with weird data. A text trying to get you to go to a site and install some dubious bull##..
    I checked the exe you are asked to open when visiting such a site and you get something like Repair Registry Pro.exe...

    does someone know about that?

    the data looks something like this btw...

    thanks..

    0000:04 00 28 00 10 00 00 00 ..(....
    0008:00 00 00 00 00 00 00 00 ........
    0010:00 00 00 00 00 00 00 00 ........
    0018:F8 91 7B 5A 00 FF D0 11 ø‘{Z.ÿÐ
    0020:A9 B2 00 C0 4F B6 E6 FC ©².ÀO¶æü
    0028:C4 BC 02 88 7B CA EA F1 ļ.ˆ{Êêñ
    0030:BB BE 1D 8E 9A 00 81 DC »¾Žš.Ü
    0038:00 00 00 00 01 00 00 00 ........
    0040:00 00 00 00 00 00 FF FF ......ÿÿ
    0048:FF FF 79 01 00 00 00 00 ÿÿy.....
    0050:10 00 00 00 00 00 00 00 .......
    0058:10 00 00 00 46 52 4F 4D ...FROM
    0060:00 00 00 00 00 00 00 00 ........
    0068:00 00 00 00 10 00 00 00 .......
    0070:00 00 00 00 10 00 00 00 .......
    0078:54 4F 00 00 00 00 00 00 TO......
    0080:00 00 00 00 00 00 00 00 ........
    0088:35 01 00 00 00 00 00 00 5.......
    0090:35 01 00 00 53 54 4F 50 5...STOP
    0098:21 20 57 49 4E 44 4F 57 ! WINDOW
    00A0:53 20 52 45 51 55 49 52 S REQUIR
    00A8:45 53 20 49 4D 4D 45 44 ES IMMED
    00B0:49 41 54 45 20 41 54 54 IATE ATT
    00B8:45 4E 54 49 4F 4E 2E 0A ENTION..
    00C0:0A 57 69 6E 64 6F 77 73 .Windows
    00C8:20 68 61 73 20 66 6F 75 has fou
    00D0:6E 64 20 35 35 20 43 72 nd 55 Cr
    00D8:69 74 69 63 61 6C 20 53 itical S
    00E0:79 73 74 65 6D 20 45 72 ystem Er
    00E8:72 6F 72 73 2E 0A 0A 54 rors...T
    00F0:6F 20 66 69 78 20 74 68 o fix th
    00F8:65 20 65 72 72 6F 72 73 e errors
    0100:20 70 6C 65 61 73 65 20 please
    0108:64 6F 20 74 68 65 20 66 do the f
    0110:6F 6C 6C 6F 77 69 6E 67 ollowing
    0118:3A 0A 0A 31 2E 20 44 6F :..1. Do
    0120:77 6E 6C 6F 61 64 20 52 wnload R
    0128:65 67 69 73 74 72 79 20 egistry
    0130:55 70 64 61 74 65 20 66 Update f
    0138:72 6F 6D 3A 20 77 77 77 rom: www
    0140:2E 72 65 67 66 69 78 69 .regfixi
    0148:74 2E 63 6F 6D 0A 32 2E t.com.2.
    0150:20 49 6E 73 74 61 6C 6C Install
    0158:20 52 65 67 69 73 74 72 Registr
    0160:79 20 55 70 64 61 74 65 y Update
    0168:0A 33 2E 20 52 75 6E 20 .3. Run
    0170:52 65 67 69 73 74 72 79 Registry
    0178:20 55 70 64 61 74 65 0A Update.
    0180:34 2E 20 52 65 62 6F 6F 4. Reboo
    0188:74 20 79 6F 75 72 20 63 t your c
    0190:6F 6D 70 75 74 65 72 0A omputer.
    0198:0A 46 41 49 4C 55 52 45 .FAILURE
    01A0:20 54 4F 20 41 43 54 20 TO ACT
    01A8:4E 4F 57 20 4D 41 59 20 NOW MAY
    01B0:4C 45 41 44 20 54 4F 20 LEAD TO
    01B8:53 59 53 54 45 4D 20 46 SYSTEM F
    01C0:41 49 4C 55 52 45 21 0A AILURE!.
    01C8:00 .
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    HI tristantzara :)

    Don't worry about this. These packets are from the Messenger service spammers ... The messenger service is normally disabled if your Windows is up to date. This "messenger " spamming use this service to display desktop pop-ups on non-protected Windows ...

    You can catch most of them with a rule like this one.
    The rule have to be placed after the other UDP rules such as allow DNS and Block NetBios...
     

    Attached Files:

  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640

    Attached Files:

  4. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    Hello Climenole,:thumb:

    Thank You.
    ... the messenger service is disabled...
    now i can easily differentiate between the messenger spam udp packets and other udp packs without looking at the ports or data...comes in handy.. :shifty:
     
  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi tristantzara :)

    Here the "file" ;-)

    :D
     

    Attached Files:

Thread Status:
Not open for further replies.