Educause Security Discussion mailing list archives
Re: bestfriends.scr AIM virus
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Fri, 21 Jan 2005 14:28:22 -0600
FYI, I have scanned several samples via http://virusscan.jotti.dhs.org/ , and except for the bytesize and maybe the port, the below is common: *********************************************** Sandbox: W32/Malware; [ General information ] * File length: 33280 bytes. * VARIES [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\F1REF0X.EXE. [ Changes to registry ] * Creates value "Mozilla Firefox"="F1REF0X.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Creates value "Mozilla Firefox"="F1REF0X.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices". [ Network services ] * Looks for an Internet connection. * Connects to "81.91.66.220" on port 8080 (TCP). * PORT MAY VARY BUT NOT IP * Connects to IRC Server. [ Security issues ] * Possible backdoor functionality [Authenticate] port 113. [ Process/window information ] * Enumerates running processes. * Will automatically restart after boot ********************************************** Evidently there is another such BOT spreading via IM per http://isc.sans.org//index.php
brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
Correction: it was port 139. Started at 11:00 AM Eastern today. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks Sent: Friday, January 21, 2005 1:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virus Do you know if this one has any other characteristics to watch for? We caught a dramatic increase in port 135 scans originating from the RESNET this morning. Before today, all was quiet, so I'm wondering if there might be a connection. Thanks, Jason Brooks Jason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson Sent: Friday, January 21, 2005 11:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] bestfriends.scr AIM virus Be on the lookout for this one as we are seeing a lot of this. There is a snort rule for it. If you notice traffic going to 81.91.66.220, you probably have infected hosts. There are several strains going around as we have had to update McAfee 3 times. More info can be found at http://www.jayloden.com/BestFriends.htm Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- bestfriends.scr AIM virus Mark Wilson (Jan 21)
- <Possible follow-ups>
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 21)
- Re: bestfriends.scr AIM virus Anderson, Brandie (Jan 21)
- Re: bestfriends.scr AIM virus Brock, Adam (Jan 22)
- Re: bestfriends.scr AIM virus RLVaughn (Jan 22)
- Re: bestfriends.scr AIM virus H. Morrow Long (Jan 22)
- Re: bestfriends.scr AIM virus Peter Moody (Jan 22)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Jeff Kell (Jan 23)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 24)
(Thread continues...)