Educause Security Discussion mailing list archives

Re: Worm activity/port 445

From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 4 Feb 2005 16:01:43 -0500

Our IDP has been blocking MSN put and get messages
containing this:
http://www.securityfocus.com/news/10424?ref=rss
Shortly after a successful get, we would see
clients phoning IRC servers.

The IDPs are also blocking requests for
bestfriends.scr from lots of different web sites,
some presumably hacked. I downloaded a copy
and submitted it to Symantec and they put out a
RapidRelease for it. They identified it as a
version of SDBot. I submitted it to virustotal
and only a couple folks recognized it, all as
old sd/agobot variants.

A few months ago, Bestfriends.scr was used in AIM
buddy or away messages (I can't remember which)
to entice people to download malware. Not sure
if that is where this is originating or not. Our
IDP isn't triggering on those extensions in AIM
messages though.

Either one may explain scanning.



--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)