Educause Security Discussion mailing list archives
Re: bestfriends.scr/*Bot
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 10 Feb 2005 09:49:23 -0500
Wood, Anne M (wood) wrote:
Does this traffic appear to run on any particular port? I have two student computers sending traffic to this address to port 8080. Also, has Symantec added this to their definitions? I don't see any reference to this.
I sent a copy to Symantec last Friday and they furnished a rapid release identifying it as a version of backdoor.sdbot. It was not included in yesterdays liveupdate release dated 2/3/2005 rev 8 but is included in today's dated 2/9/2005 rev 32. They also sent the following instructions to get the rapid release: 1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/ 2. Click this link to the ftp site: ftp://ftp.symantec.com/public/english_u s_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleas= edefsi32.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the addres s bar of your Web browser and then press Enter. 3. When a download dialog box appears, save the file to the Windows desktop. 4. Double-click the downloaded file and follow the prompts. P.S. I submitted it to virustotal and it was missed by most of the AV manufactures last Friday. Also, the server listed below is one of serveral hosting the file.
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson Sent: Tuesday, February 08, 2005 12:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] bestfriends.scr/*Bot Be on the lookout for this one as we continue to see this. There is a bleeding edge snort rule for bestfriends.scr. If you notice traffic going to 209.152.177.208, you probably have infected hosts on your network. This malware spreads via AIM (embedded URL in away message) and drops AgoBot/GoaBot/*Bot on the victim's host. There are several strains going around. More info can be found at http://www.jayloden.com/BestFriends.htm Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
-- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- bestfriends.scr/*Bot Mark Wilson (Feb 08)
- <Possible follow-ups>
- Re: bestfriends.scr/*Bot Wood, Anne M (wood) (Feb 10)
- Re: bestfriends.scr/*Bot Mark Wilson (Feb 10)
- Re: bestfriends.scr/*Bot Gary Flynn (Feb 10)
- Re: bestfriends.scr/*Bot Jeff Kell (Feb 10)