Re: bestfriends.scr AIM virus

[Peter Moody <peter () UCSC EDU>]

> 81.91.66.220 to be a Command and Control for a bot drone army.

Thought I sent this out yesterday but I just noticed it in my drafts
folder.  oh well.

Yes, this ip address is a C&C for sure.  Other's have noticed something
on the order of 10k drones.  Check those flows.

A bit about this guy:

        * associated with this botnet is the malware distribution site
                http://www. adare.ca/ I haven't checked today, but 
                yesterday you could find spybot.exe and bestfriends.scr 
                there.

        * the malware, when run, does lots of little nasty things to
                your computer including but not limited to trying to
                connect to a C&C @ tx.abeautifultragedy.com (already
                shut).

So, to summarize:

        * check flows to that ip (not just to 6667, I was told other
                ports were open as well like 6666, 8888, 8080)
        
        * check your dns logs for adare.ca and tx.abeautifultragedy.com.
                you're logging ns queries, right?

Regards,
-Peter

-- 
Peter Moody                             <peter () ucsc edu>
Information Security Administrator          831/459.5409
Information and Technology Services.      UC, Santa Cruz
http://security.ucsc.edu/pgp/peter.moody.pub      AS5739
:wq

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: _bin
Description: