Message from WEBPOPUP to 192.168.0.1 at 08:00:21 October 21, 2002

Webpopup, as it is commonly known, is a relatively new form of spam currently plaguing the net. It victimizes a Microsoft Windows 2000/XP/NT LAN service known as Messenger. Back in the Novell Netware days, Messenger was known as "net send," and was used for sending messages between terminals. The modern version of Messenger is used by Windows for much the same purpose, except it's moved from the command line to a dialog box that pops into "always on top" mode until the user closes it.

Messenger is part of the NetBIOS set of services, and it is enabled by default in all recent builds of Windows.

Spammers, as is their wont, have taken to using Messenger to send spam. Normal procedure for a Messenger spammer involves port scanning random netblocks and compiling a list of hosts that have port 139 (reportedly, port 445 has also been used) open to incoming TCP or UDP requests (both work). The compiled list is then put into a batch file along with a pre-formatted advertisement for porn, university diplomas, penis enlargement, Viagra, or pyramid schemes, and then executed. The spam is sent across the network much faster than email spam could ever dream of. Spammers love it because it's extremely difficult to trace, extremely easy to forge, and its receivers are forced into paying attention to it, even if only to close it.

If you've been getting annoyed with those seemingly untracable "WEBPOPUP" spams that pop up in what look like dialog boxes under Windows 2000/XP/NT, here's how to disable the service that allows them to pop up in the first place (the following actions require that you be logged into an Windows administrator account, or any other Windows account that has admin privileges):

1. Open the Control Panel.
2. Open Administrative Tools.
3. Open Component Services.
4. Select the third item in the left pane (Services).
5. In the right pane, select "Messenger," and double click it to open its properties.
6. In the "Messenger" properties dialog, click the Stop button to stop the service. (Or enter net stop messenger at the command line.)
7. Select "Disabled" from the dropdown box.
8. Click the Apply and OK buttons, and be bothered no more.

This is not related to MSN Messenger.

I'm running a pretty tight firewall, but webpopup still found a way through, even though I've got the ports that it has been known to use (139 and 445) closed to incoming requests. So it would seem that disabling the Messenger service is the only way to avoid this strange new breed of spam.

I've heard tell that blocking UDP on port 137 is additionally effective at blocking webpopup spam.

For the less technically-inclined users of Microsoft Windows, a program exists that will turn off the Messenger service for you. You can find it at the following URL:

http://www.mywebattack.com/gnomeapp.php?id=106959

Steve Gibson has come up with another program to shut down messenger services called "Shoot the Messenger." Find it at the following URL:

http://www.grc.com/stm/shootthemessenger.htm