Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 4 Feb 2005 16:01:43 -0500
Our IDP has been blocking MSN put and get messages containing this: http://www.securityfocus.com/news/10424?ref=rss Shortly after a successful get, we would see clients phoning IRC servers. The IDPs are also blocking requests for bestfriends.scr from lots of different web sites, some presumably hacked. I downloaded a copy and submitted it to Symantec and they put out a RapidRelease for it. They identified it as a version of SDBot. I submitted it to virustotal and only a couple folks recognized it, all as old sd/agobot variants. A few months ago, Bestfriends.scr was used in AIM buddy or away messages (I can't remember which) to entice people to download malware. Not sure if that is where this is originating or not. Our IDP isn't triggering on those extensions in AIM messages though. Either one may explain scanning. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)