Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Another day, another bot being spammed InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Another day, another bot being spammed

Published: 2006-01-27
Last Updated: 2006-01-27 22:55:57 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
New bot (a Brepibot variant) is being actively spammed. What's interesting about it is that it seems to be targeting universities.  Also, it seems that the author is constantly producing new variants of the bot. In last couple of hours we received several samples of the bot:

e5f68caf1c546e00fff964d8ac18d37a  Photo and Article.exe
69564b5904d8a4e33d58e25ef6edfd39  Transaction and Billing Services.exe.1
a2d9fc4ece5caa109291b25804ef6f3a  photo+article.exe

This bot is working the heavily the social engineering side and playing on the emotions of its targets.  One targets a person's ego and the other is targeting people for their sympathy/empathy.  Here are some of the subjects that we have seen.

Photo and Article
Campus Student Raped
Do you recognise this person?
CCTV still of Rapist
Rape on Campus

Here are a couple of the message bodies:


We are planning to include you in the new campus magazine in an article titled "Campus Life".  Can you approve the photo and article for
+us before we go to printing please?

If any details are wrong then we can amend before printing on Wednesday the 1st of February so please get back to us as soon as possible.
+We have attached the photo and article.

Many Thanks & Best Regards,

Joseph Hope


During the early morning of January 25 2006, a campus student was the victim of a horrific sexual assault within college grounds.
+Eyewitnesses report a tall black man in grey pants running away from the scene.  Campus CCTV has caught this man on camera and are
+looking for ways to identify him.  If anyone recognises the attached picture could they inform administraion immediatly


Robert Atkins
Campus Administration"

One attachment was an .exe and the other was a zipped attachment containing an .exe

Please let us know if you see any other variants!!

0 comment(s)
Diary Archives