koko.exe does a GET request to 193.242.108.49:
GET /Dialer_Min/number.asp HTTP/1.1
Accept: */* Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 193.242.108.49
Connection: Keep-Alive
The server replies with a text file (a.b.c.d == my IP):
003727091384
US
a.b.c.d
1.8
test disclaimer
The URL and first line of the reply point to a phone number, so I polled the server to see how many phone numbers come back:
dennis@ipa:~$ for i in `seq 1 1 500`; do
> lynx -source http://193.242.108.49/Dialer_Min/number.asp | head -1 >> numbers
> done
dennis@ipa:~$ cat numbers | sort | uniq -c | sort -nr
73 0023222279883
61 01137165159890
54 01137091022348
50 01137165159892
50 003727091384
49 011239200167
47 00239200167
46 01123222279883
44 0037165159892
26 011438209216455
The phone numbers break down like this:
011438209216455
011 - US (International Direct Dialling)
43 - Austria (Country Calling Code)
820 - services with regulated max. tariffs
9216455
01137165159892
0037165159892
011/00 - US/Generic
371 - Latvia
651 - landlines for district of Aizkraukle
59892
01137165159890
011 - US
371 - Latvia
651 - landlines for district of Aizkraukle
59890
01137091022348
011 - US
370 - Lithuania
910 - premium rate numbers
22 348
011239200167
00239200167
011/00 - US/Generic
239 - Sao Tome and Principe
239200167 - couldn't track down a source on phone number format
01123222279883
0023222279883
011/00 - US/Generic
232 - Sierra Leone
22279883 - couldn't track down a source on phone number format
003727091384
00 - Generic
372 - Estonia
709 - landline
1384
References:
Virustotal
ThreatExpert
CWSandbox
GET /Dialer_Min/number.asp HTTP/1.1
Accept: */* Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 193.242.108.49
Connection: Keep-Alive
The server replies with a text file (a.b.c.d == my IP):
003727091384
US
a.b.c.d
1.8
test disclaimer
The URL and first line of the reply point to a phone number, so I polled the server to see how many phone numbers come back:
dennis@ipa:~$ for i in `seq 1 1 500`; do
> lynx -source http://193.242.108.49/Dialer_Min/number.asp | head -1 >> numbers
> done
dennis@ipa:~$ cat numbers | sort | uniq -c | sort -nr
73 0023222279883
61 01137165159890
54 01137091022348
50 01137165159892
50 003727091384
49 011239200167
47 00239200167
46 01123222279883
44 0037165159892
26 011438209216455
The phone numbers break down like this:
011438209216455
011 - US (International Direct Dialling)
43 - Austria (Country Calling Code)
820 - services with regulated max. tariffs
9216455
01137165159892
0037165159892
011/00 - US/Generic
371 - Latvia
651 - landlines for district of Aizkraukle
59892
01137165159890
011 - US
371 - Latvia
651 - landlines for district of Aizkraukle
59890
01137091022348
011 - US
370 - Lithuania
910 - premium rate numbers
22 348
011239200167
00239200167
011/00 - US/Generic
239 - Sao Tome and Principe
239200167 - couldn't track down a source on phone number format
01123222279883
0023222279883
011/00 - US/Generic
232 - Sierra Leone
22279883 - couldn't track down a source on phone number format
003727091384
00 - Generic
372 - Estonia
709 - landline
1384
References:
Virustotal
ThreatExpert
CWSandbox
No comments:
Post a Comment