On 5/12/05, Joe Shen <joe_hznm@yahoo.com.sg> wrote:
By tcpdump, it's found a remote computer keep asking address for record like 999d38e693b9e6293b450.0existence.com, 60d38e693b9e6293b450.0be6c1xfa.net.
is that a virus affacted computer?
Sure looks like some kind of massmailer trojan, or a affiliate program based spam sending software like Atriks. These two domains you quoted have rather interesting whois records, particularly 0existence.com .. Domain Name.......... 0existence.com Creation Date........ 2004-10-23 Registration Date.... 2004-10-23 Expiry Date.......... 2009-10-23 Organisation Name.... William Peter Organisation Address. 52 THIRD AVENUE Organisation Address. Organisation Address. Woonsocket Organisation Address. 02895 Organisation Address. RI Organisation Address. UNITED STATES Admin Name........... William Peter Admin Address........ 52 THIRD AVENUE Admin Address........ Admin Address........ Woonsocket Admin Address........ 02895 Admin Address........ RI Admin Address........ UNITED STATES Admin Email.......... doi.looklikeafucktardtoyou@0existence.com Admin Phone.......... +1.4067672231 Admin Fax............ Tech Name............ Existence Corporation Tech Address......... 701 First Ave. Tech Address......... Tech Address......... Sunnyvale Tech Address......... 94089 Tech Address......... CA Tech Address......... UNITED STATES Tech Email........... doi.looklikeafucktardtoyou@0existence.com Tech Phone........... +1.6198813096 Tech Fax............. +1.6198813010 -- Suresh Ramasubramanian (ops.lists@gmail.com)