Within one particular botnet we observed an attacker who issued the following command (please note that the URLs have been obfuscated):
The command .mm ("mass emailing") is a customized version of the generic spam.start command. This command accepts four parameters:
In this case, the fetch.php script returned 30 different email addresses every time it was invoked. To each of these recipients, an email message was constructed that advertised the second parameter of the command. In this example, it pointed to a web-page which attempted to install an ActiveX component on the victim's computer.