Void's Forums

[ZiaTioN]

Yeah, I believe the two are one in the same. I think the infected machine sends out the exploit attempt and attempts to have the target machine download the code from itself. I tried to go to the site in your log example and get the worm code but it has been removed. If you still have the source code of the worm I can verify this if you want to send them to me.

[Void Main]

No, they are two different sites. Do an nslookup on the download hostname and you will see it does not have the same IP address as the host running the worm. I have about 20 different variations of the code as for a while I was downloading the code when I saw a new one pop in the logs.

[ZiaTioN]

Yeah I actually went back to your posted log and noticed that after I posted the last message. So since that was the case and since you have already written an app to auto block the ip's as they attempt I figured added email traffic would just add to the uneeded network congestion so I have somewhat abondaned that idea.

[xeon3d]

Hi.

If you still need portuguese translating services (free of course ) I'm able to help.

I've also been a victim (to a part) of those stupid Brazilian scriptkiddiez (they're not hackers).

You can reach me in my msn addy.

Regards.
Marcos.