I am getting hundreds of messages from people interested in the Mystery Numbers.
The body message is always 5556 or 969. The message subject is 455 or 1545453. They come from a random selection of residential computers, from all over the world. The assumption is that a Trojan type PC infection is doing the mailing based on information from the browser cache. I am receiving mail addressed to my primary address as well as nonsense words @ my Harpamps.com and JT30.com hosts and now my kpgraham.com domain. These have forwarders that will forward any mail to one of my inboxes.
I googled 5556 969 455 1545453 and I am the only blogger who has reported this so far.
This is an interesting thing because there is no payload. There is no attachment, no link, no real information except the mystery numbers. Are we stuck in an episode of Lost?
My best guess is that it is either a Trojan with a bug that is doing a mailing based on a date, but screwed it up, or it is a Trojan that is sending a signal to another Trojan. The numbers are a key that unlocks what?
If you found me by googling the numbers, please leave a comment with your subject and body numbers. Look at the heading and see if you can find the ip address of who is sending this. There are net detectives out there that might be able to trace some of this stuff.
It seems to have been an event centered around June 6. I have no new messages this morning. Here is a message thread where they are discussed, but they made the initial mistake of believing that it was only gmail accounts.
4 Comments
Subject 57657 is what I am seeing. Appears to be from Russia per the email header info.
IP address: 212.5.119.66
Reverse DNS: vlan066.socket.ru.
Reverse DNS authenticity: [Verified]
ASN: 8470
ASN Name: MAcomnet (MAcomnet Autonomous System)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): RU [Russian Federation]
Country Currency: RUR [Russia Rubles]
Country IP Range: 212.5.64.0 to 212.5.127.255
Country fraud profile: High
City (per outside source): Unknown
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 212.5.119.66
Subject 455 body text 969. Full header is (with “my address” substituted for email address):
From: “my address”
To: “my address”
Date: Tue, 06 Jun 2006 10:59:31 +0300
Subject: 455
Message-ID: [email protected]
Received: from mx28.lax.untd.com (mx28.lax.untd.com [10.130.24.88])
by maildeliver02.nyc.untd.com with SMTP id AABCJLN49ADKME8S
for [my address] (sender [my address]);
Tue, 6 Jun 2006 00:48:47 -0700 (PDT)
Received: from AlNajjar.com ([86.62.207.110])
by mx28.lax.untd.com with SMTP id AABCJLN48AJ3PYV2
for [my address] (sender [my address]);
Tue, 6 Jun 2006 00:48:46 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: 7bit
X-UNTD-Peer-Info: 86.62.207.110|<>|AlNajjar.com|my address
X-ContentStamp: 1:0:0
Return-Path: [my address]
X-UNTD-UBE: 5
Hi,
We received the following variants:
154545
1545453
455
557
57657
586876
If you are recieving it you are not infected and not much can stop it, look here http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
regards
lxnx