weird udp packets blocked

Discussion in 'LnS English Forum' started by tristantzara, Aug 8, 2006.

Thread Status:
Not open for further replies.
  1. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    hi,

    recently there were a lot of blocked udp packets in my log with weird data. A text trying to get you to go to a site and install some dubious bull##..
    I checked the exe you are asked to open when visiting such a site and you get something like Repair Registry Pro.exe...

    does someone know about that?

    the data looks something like this btw...

    thanks..

    0000:04 00 28 00 10 00 00 00 ..(....
    0008:00 00 00 00 00 00 00 00 ........
    0010:00 00 00 00 00 00 00 00 ........
    0018:F8 91 7B 5A 00 FF D0 11 ø‘{Z.ÿÐ
    0020:A9 B2 00 C0 4F B6 E6 FC ©².ÀO¶æü
    0028:C4 BC 02 88 7B CA EA F1 ļ.ˆ{Êêñ
    0030:BB BE 1D 8E 9A 00 81 DC »¾Žš.Ü
    0038:00 00 00 00 01 00 00 00 ........
    0040:00 00 00 00 00 00 FF FF ......ÿÿ
    0048:FF FF 79 01 00 00 00 00 ÿÿy.....
    0050:10 00 00 00 00 00 00 00 .......
    0058:10 00 00 00 46 52 4F 4D ...FROM
    0060:00 00 00 00 00 00 00 00 ........
    0068:00 00 00 00 10 00 00 00 .......
    0070:00 00 00 00 10 00 00 00 .......
    0078:54 4F 00 00 00 00 00 00 TO......
    0080:00 00 00 00 00 00 00 00 ........
    0088:35 01 00 00 00 00 00 00 5.......
    0090:35 01 00 00 53 54 4F 50 5...STOP
    0098:21 20 57 49 4E 44 4F 57 ! WINDOW
    00A0:53 20 52 45 51 55 49 52 S REQUIR
    00A8:45 53 20 49 4D 4D 45 44 ES IMMED
    00B0:49 41 54 45 20 41 54 54 IATE ATT
    00B8:45 4E 54 49 4F 4E 2E 0A ENTION..
    00C0:0A 57 69 6E 64 6F 77 73 .Windows
    00C8:20 68 61 73 20 66 6F 75 has fou
    00D0:6E 64 20 35 35 20 43 72 nd 55 Cr
    00D8:69 74 69 63 61 6C 20 53 itical S
    00E0:79 73 74 65 6D 20 45 72 ystem Er
    00E8:72 6F 72 73 2E 0A 0A 54 rors...T
    00F0:6F 20 66 69 78 20 74 68 o fix th
    00F8:65 20 65 72 72 6F 72 73 e errors
    0100:20 70 6C 65 61 73 65 20 please
    0108:64 6F 20 74 68 65 20 66 do the f
    0110:6F 6C 6C 6F 77 69 6E 67 ollowing
    0118:3A 0A 0A 31 2E 20 44 6F :..1. Do
    0120:77 6E 6C 6F 61 64 20 52 wnload R
    0128:65 67 69 73 74 72 79 20 egistry
    0130:55 70 64 61 74 65 20 66 Update f
    0138:72 6F 6D 3A 20 77 77 77 rom: www
    0140:2E 72 65 67 66 69 78 69 .regfixi
    0148:74 2E 63 6F 6D 0A 32 2E t.com.2.
    0150:20 49 6E 73 74 61 6C 6C Install
    0158:20 52 65 67 69 73 74 72 Registr
    0160:79 20 55 70 64 61 74 65 y Update
    0168:0A 33 2E 20 52 75 6E 20 .3. Run
    0170:52 65 67 69 73 74 72 79 Registry
    0178:20 55 70 64 61 74 65 0A Update.
    0180:34 2E 20 52 65 62 6F 6F 4. Reboo
    0188:74 20 79 6F 75 72 20 63 t your c
    0190:6F 6D 70 75 74 65 72 0A omputer.
    0198:0A 46 41 49 4C 55 52 45 .FAILURE
    01A0:20 54 4F 20 41 43 54 20 TO ACT
    01A8:4E 4F 57 20 4D 41 59 20 NOW MAY
    01B0:4C 45 41 44 20 54 4F 20 LEAD TO
    01B8:53 59 53 54 45 4D 20 46 SYSTEM F
    01C0:41 49 4C 55 52 45 21 0A AILURE!.
    01C8:00 .
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    HI tristantzara :)

    Don't worry about this. These packets are from the Messenger service spammers ... The messenger service is normally disabled if your Windows is up to date. This "messenger " spamming use this service to display desktop pop-ups on non-protected Windows ...

    You can catch most of them with a rule like this one.
    The rule have to be placed after the other UDP rules such as allow DNS and Block NetBios...
     

    Attached Files:

  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640

    Attached Files:

  4. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    Hello Climenole,:thumb:

    Thank You.
    ... the messenger service is disabled...
    now i can easily differentiate between the messenger spam udp packets and other udp packs without looking at the ports or data...comes in handy.. :shifty:
     
  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi tristantzara :)

    Here the "file" ;-)

    :D
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.