[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] VB WinHTTP User Agent alerts
From:       dxp2532 () gmail ! com (dxp)
Date:       2008-05-09 13:45:27
Message-ID: 1210340727.6789.6.camel () kinta
[Download RAW message or body]

I'm not sure if all vendors do this but recently a friend of mine
obtained a HP laptop which came preloaded with Vista and without any
installation media.  Instead, there was a piece of paper in the box
stating that HP laptops now come with a restore/repair partition and
physical installation media is no longer required.

This may not be  a problem for many people on this list but what about
other folks out there.
I guess she can always call HP and demand a disc but I have a feeling
that might be fruitless.

On Thu, 2008-05-08 at 09:29 -0400, Joel Esler wrote:

> This is why you should wipe all computers you receive with a fresh  
> copy of your OS.
> 
> J
> 
> On May 8, 2008, at 8:52 AM, Jack Pepper wrote:
> 
> > sid=2002970
> > 
> > 192.168.10.154	 MALWARE VB WinHTTP User Agent - Possible Malware
> > 
> > 
> > That WinHTTP alert is cause by some new software that DELL is
> > preloading on their computers.   It appears to be uploading hardware
> > configuration data once per day.
> > 
> > 
> > 12:21:50.345343 IP 192.168.10.154.1330 > 12.129.31.109.80: P
> > 1584357475:1584357908(433) ack 1809964304 win 64860
> > 0x0000   4500 01d9 48b8 4000 8006 b936 c0a8 0a9a        E...H. at .... 
> > 6....
> > 0x0010   0c81 1f6d 0532 0050 5e6f 6063 6be1 dd10        ...m. 
> > 2.P^o`ck...
> > 0x0020   5018 fd5c 0a83 0000 504f 5354 202f 7364        P.. 
> > \....POST./sd
> > 0x0030   6378 7573 6572 2f61 7370 2f64 656c 6c70        cxuser/asp/ 
> > dellp
> > 0x0040   726f 6669 6c65 696e 666f 2e61 7370 2048         
> > rofileinfo.asp.H
> > 0x0050   5454 502f 312e 310d 0a43 6f6e 7465 6e74        TTP/ 
> > 1.1..Content
> > 0x0060   2d74 7970 653a 2061 7070 6c69 6361 7469        - 
> > type:.applicati
> > 0x0070   6f6e 2f78 2d77 7777 2d66 6f72 6d2d 7572        on/x-www- 
> > form-ur
> > 0x0080   6c65 6e63 6f64 6564 0d0a 436f 6e74 656e         
> > lencoded..Conten
> > 0x0090   742d 4c65 6e67 7468 3a20 3137 310d 0a41        t-Length:. 
> > 171..A
> > 0x00a0   6363 6570 743a 202a 2f2a 0d0a 5573 6572        ccept:.*/ 
> > *..User
> > 0x00b0   2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f        - 
> > Agent:.Mozilla/
> > 0x00c0   342e 3020 2863 6f6d 7061 7469 626c 653b        4.0. 
> > (compatible;
> > 0x00d0   2057 696e 3332 3b20 5769 6e48 7474  
> > 702e        .Win32;.WinHttp.
> > 0x00e0   5769 6e48 7474 7052 6571 7565 7374 2e35         
> > WinHttpRequest.5
> > 0x00f0   290d 0a48 6f73 743a 2077 7777 2e64  
> > 656c        )..Host:.www.del
> > 0x0100   6c73 7570 706f 7274 6365 6e74 6572 2e63         
> > lsupportcenter.c
> > 0x0110   6f6d 0d0a 436f 6e6e 6563 7469 6f6e 3a20         
> > om..Connection:.
> > 0x0120   4b65 6570 2d41 6c69 7665 0d0a 0d0a 636c        Keep- 
> > Alive....cl
> > 0x0130   6965 6e74 5f67 7569 643d 3433 3833 6664         
> > ient_guid=4383fd
> > 0x0140   6433 2d30 3732 382d 3437 3364 2d61 3635        d3-0728-473d- 
> > a65
> > 0x0150   352d 3031 6664 6435 3936 3930 6130 2673         
> > 5-01fdd59690a0&s
> > 0x0160   6572 7669 6365 5f74 6167 3d34 5651 5351         
> > ervice_tag=4VQSQ
> > 0x0170   4231 266d 6f64 656c 3d58 5053 204d 3132         
> > B1&model=XPS.M12
> > 0x0180   3130 266c 6f62 3d58 5053 2673 6567 6d65         
> > 10&lob=XPS&segme
> > 0x0190   6e74 3d32 3926 636f 756e 7472 793d 7573         
> > nt=29&country=us
> > 0x01a0   2672 6567 696f 6e3d 5553 2663 6c69 656e         
> > &region=US&clien
> > 0x01b0   745f 6c61 6e67 7561 6765 3d65 6e26 7761         
> > t_language=en&wa
> > 0x01c0   7272 616e 7479 5f65 7870 5f64 6174 653d         
> > rranty_exp_date=
> > 0x01d0   392f 3130 2f32 3030 39                         9/10/2009
> > 
> > -- 
> > 
> > Framework?  I don't need no stinking framework!
> > 
> > ----------------------------------------------------------------
> > @fferent Security Labs:  Isolate/Insulate/Innovate
> > http://www.afferentsecurity.com
> > 
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > 
> 
> 
> --
> Joel Esler ? joel.esler at sourcefire.com
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 

-=[ dxp ]=-
0xA3F3C6E3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080509/efe73b1a/attachment-0001.html
                
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080509/efe73b1a/attachment-0001.bin



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic