Educause Security Discussion mailing list archives

Re: bestfriends.scr AIM virus

From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Fri, 21 Jan 2005 14:13:53 -0600

Seems like this was seeking to exploit LSASS (port 445?).  Anyway, these
BOT varients do tend to look for open shares.

You may want to scan for 113/tcp on your resnet as it may open a trojan
on that port.

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>

Correction: it was port 139.  Started at 11:00 AM Eastern today.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
Sent: Friday, January 21, 2005 1:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Do you know if this one has any other characteristics to watch for?
We
caught a dramatic increase in port 135 scans originating from the
RESNET
this morning.  Before today, all was quiet, so I'm wondering if there
might
be a connection.

Thanks,
Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
Sent: Friday, January 21, 2005 11:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] bestfriends.scr AIM virus

Be on the lookout for this one as we are seeing a lot of this.  There
is
a snort rule for it.

If you notice traffic going to 81.91.66.220, you probably have
infected
hosts.

There are several strains going around as we have had to update McAfee
3 times.

More info can be found at http://www.jayloden.com/BestFriends.htm

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: Mark Wilson.vcf
Description:

Current thread:

bestfriends.scr AIM virus Mark Wilson (Jan 21)
- <Possible follow-ups>
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 21)
- Re: bestfriends.scr AIM virus Anderson, Brandie (Jan 21)
- Re: bestfriends.scr AIM virus Brock, Adam (Jan 22)
- Re: bestfriends.scr AIM virus RLVaughn (Jan 22)
- Re: bestfriends.scr AIM virus H. Morrow Long (Jan 22)
- Re: bestfriends.scr AIM virus Peter Moody (Jan 22)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Jeff Kell (Jan 23)

(Thread continues...)