5556 969 455 1545453 Mystery Email

I am getting hundreds of messages from people interested in the Mystery Numbers.

The body message is always 5556 or 969. The message subject is 455 or 1545453. They come from a random selection of residential computers, from all over the world. The assumption is that a Trojan type PC infection is doing the mailing based on information from the browser cache. I am receiving mail addressed to my primary address as well as nonsense words @ my Harpamps.com and JT30.com hosts and now my kpgraham.com domain. These have forwarders that will forward any mail to one of my inboxes.

I googled 5556 969 455 1545453 and I am the only blogger who has reported this so far.

This is an interesting thing because there is no payload. There is no attachment, no link, no real information except the mystery numbers. Are we stuck in an episode of Lost?

My best guess is that it is either a Trojan with a bug that is doing a mailing based on a date, but screwed it up, or it is a Trojan that is sending a signal to another Trojan. The numbers are a key that unlocks what?

If you found me by googling the numbers, please leave a comment with your subject and body numbers. Look at the heading and see if you can find the ip address of who is sending this. There are net detectives out there that might be able to trace some of this stuff.

It seems to have been an event centered around June 6. I have no new messages this morning. Here is a message thread where they are discussed, but they made the initial mistake of believing that it was only gmail accounts.

4 Comments

  1. Anonymous wrote:

    Subject 57657 is what I am seeing. Appears to be from Russia per the email header info.

    IP address: 212.5.119.66
    Reverse DNS: vlan066.socket.ru.
    Reverse DNS authenticity: [Verified]
    ASN: 8470
    ASN Name: MAcomnet (MAcomnet Autonomous System)
    IP range connectivity: 1
    Registrar (per ASN): RIPE
    Country (per IP registrar): RU [Russian Federation]
    Country Currency: RUR [Russia Rubles]
    Country IP Range: 212.5.64.0 to 212.5.127.255
    Country fraud profile: High
    City (per outside source): Unknown
    Private (internal) IP? No
    IP address registrar: whois.ripe.net
    Known Proxy? No
    Link for WHOIS: 212.5.119.66

    Wednesday, June 7, 2006 at 9:59 am | Permalink
  2. Anonymous wrote:

    Subject 455 body text 969. Full header is (with “my address” substituted for email address):

    From: “my address”
    To: “my address”
    Date: Tue, 06 Jun 2006 10:59:31 +0300
    Subject: 455
    Message-ID: [email protected]
    Received: from mx28.lax.untd.com (mx28.lax.untd.com [10.130.24.88])
    by maildeliver02.nyc.untd.com with SMTP id AABCJLN49ADKME8S
    for [my address] (sender [my address]);
    Tue, 6 Jun 2006 00:48:47 -0700 (PDT)
    Received: from AlNajjar.com ([86.62.207.110])
    by mx28.lax.untd.com with SMTP id AABCJLN48AJ3PYV2
    for [my address] (sender [my address]);
    Tue, 6 Jun 2006 00:48:46 -0700 (PDT)
    MIME-Version: 1.0
    Content-Type: text/html; charset=”us-ascii”
    Content-Transfer-Encoding: 7bit
    X-UNTD-Peer-Info: 86.62.207.110|<>|AlNajjar.com|my address
    X-ContentStamp: 1:0:0
    Return-Path: [my address]
    X-UNTD-UBE: 5

    Wednesday, June 7, 2006 at 9:47 pm | Permalink
  3. Anonymous wrote:

    Hi,
    We received the following variants:
    154545
    1545453
    455
    557
    57657
    586876

    Wednesday, June 14, 2006 at 12:44 am | Permalink
  4. Anonymous wrote:

    If you are recieving it you are not infected and not much can stop it, look here http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html

    regards
    lxnx

    Thursday, June 15, 2006 at 1:54 am | Permalink