John Leach's Blog

• Windows popup spam

  September 22nd, 2005

  Whilst closely watching the traffic to a server here at work (I had a good reason, I don’t just find it fun) (yes I do) I noticed a firewall batting away a bunch of incoming Microsoft Messenger Service NetrSendMessage. These are UDP packets destined for port 1026. The contents of the messages seem to be spyware and spam tricks. “Your system needs updating, click here to purchase the patch” etc.etc.

  I’ve not come across this before, but it seems to be wide spread. In 2 hours I collected over a dozen to one particular host, all from different source IPs and nearly all with different messages and urls in them. Here are some excerpts, notice that as URLs aren’t clickable in message boxes they have to leave instructions to type the url in.

  UPDATE: For all the non-techies, these messages are NOT the result of a virus or worm or anything like that. They are just network messages sent over the internet by scammers, a bit like spam. You can safely ignore them. If you want them to go away, install some firewall software or follow the instructions by Manimo to turn off the messaging service.

  Important Windows Security Bulletin
  ======================
  Buffer Overrun in Messenger Service Allows Remote Code Execution,
  Virus Infection and Unexpected Computer Shutdowns

  Affected Software:

  Microsoft Windows NT Workstation
  Microsoft Windows NT Server 4.0
  Microsoft Windows 2000
  Microsoft Windows XP
  Microsoft Windows Win98
  Microsoft Windows Server 2003

  Non Affected Software:

  Microsoft Windows Millennium Edition

  Your system is affected, download the patch from the address below !
  FIRST TYPE THE ADDRESS BELOW INTO YOUR INTERNET BROWSER, THEN CLICK ‘OK’.
  THE ADDRESS WILL DISAPPEAR ONCE YOU CLICK ‘OK’.

  www.updatepatch.info

  and this one

  STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

  Windows has found infected spyware and dangerous errors on your computer!

  To rid your computer of these dangerous errors and infected spyware do the
  following:

  1. Download eAntiSpy from: www.desktopfix.com
  2. Install eAntiSpy
  3. Run eAntiSpy
  4. Reboot your computer

  FAILURE TO ACT NOW MAY LEAD TO DATA CORRUPTION AND LOSS OF PERSONAL
  INFORMATION AND SYSTEM FAILURE!

  And this one:

  Warning!

  We detected a dangerous Virus installed on your computer but was unable
  to remove it. This Virus allow companies/users to monitor your
  Internet browsing patterns. It is recommended that you install the
  latest software to remove these by going to:

  www.fixscan.com

  Tags:

  Posted in Networks and Firewalls, Security, Tech |

11 Responses to “Windows popup spam”

1. Maya Says:
   September 27th, 2005 at 22:15

   Hi,

   I purchased a PC invected with these messages. Tried downloading Noadaware, Registry Mechanic & Spybot S&D but still having the problem. Anyone there know how to fix this? Thanks for your help.

2. Marinmo Says:
   September 29th, 2005 at 16:40

   Shut down the messenger service (this does NOT affect MSN Messenger etc). In w2k/xp you do this by going to the Control Panel, Administrative Options and then Services. Stop the messenger service and have it not starting up on boot (should be fairly obvious how to do this).
   Also note the names (especially Administrative Options) can be somewhat off since I don’t run windows so I can’t check.

3. zcat Says:
   September 29th, 2005 at 21:48

   http://www.grc.com/stm/shootthemessenger.htm

   (or install Linux!)

4. celeste Says:
   September 30th, 2005 at 21:48

   i have the same pop ups is this for real??????

5. suryavarma Says:
   October 1st, 2005 at 23:31

   hi,

   my pc has been effected by a virus .so please remove it from my system,thank you

6. suryavarma Says:
   October 2nd, 2005 at 01:24

   nortons antivirus 2003 is unable to detect the virus .so please remove the virus .thank u

7. Joy Says:
   October 2nd, 2005 at 08:18

   I have same problem.
   I alread upgrade IE to latest version, IE6 SP1.
   On the same networking, only one of them has the trouble.
   When it connects to the internet.

   So, I think, It must be comming form the OS, Win2K.

8. Matt G Says:
   October 20th, 2005 at 05:59

   WoW !!! I got that garbage trying to do a DOS telnet experiment, yep, using a DOS ppp tcp/ip connection, RLFOSSIL, which is a DOS program that emulates a modem to allow a terminal program such as TELEMATE to connect to the internet….. pretty weird stuff

9. Marcia Says:
   December 17th, 2005 at 20:17

   Thanks for the info, just reformatted my computer, have adware by MS. Never seen these before. No legit sites either. You site was most helpful!

10. ismael Says:
    December 30th, 2005 at 21:41

    emm no se que pasa con la compu de repente aparecre un aviso que tengo que vagar de eta paguina

11. Diva Says:
    May 9th, 2007 at 03:57

    You can install norton antivirus 2007, and than, scan your computer, i hope this step can solve your problem

Leave a Reply

• About

  • John Leach is a human being living in Leeds, UK.

• Navigation

  • Home
  • Personal posts
  • Techie posts
  • Political posts
  • Photography posts
  • Archive
  • Tag Cosmos

• Twitter

  • John the intersection of the set "cute" and the set "inane" is smaller than you'd think 13 hrs ago
  • More twitter updates →

• Author Stuff

  • Compost This
  • ELER Web Comic
  • FOSS Hole
  • New World Odour
  • News Sniffer
  • Photography
  • Profile and History
  • Recycle This
  • The Gillroyd Parade
  • Website

• Friends

  • Gianni Tedesco
  • Ian Higgins
  • James Harrop
  • Louisa Parry
  • Matt Hall
  • Matt Lee
  • Neil Briscoe
  • Neil Moss
  • Sleepy Kev
  • Tom Hall

• Stuff

  • Brightbox Rails Hosting
  • Grammatica
  • ifup
  • Indymedia
  • Media Lens
  • Mia Bambina
  • News from nowhere

• Meta

  • Log in
  • Entries RSS
  • Comments RSS

• Search

The text of this blog is licensed under the Creative Commons BY-ND license