Educause Security Discussion mailing list archives

Re: bestfriends.scr/*Bot

From: "Wood, Anne M (wood)" <wood () JUNIATA EDU>
Date: Thu, 10 Feb 2005 08:51:56 -0500

Does this traffic appear to run on any particular port?  I have two
student computers sending traffic to this address to port 8080.  Also,
has Symantec added this to their definitions?  I don't see any reference
to this.

Anne Wood
Network Manager
Juniata College
814-641-5310 

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
Sent: Tuesday, February 08, 2005 12:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] bestfriends.scr/*Bot

Be on the lookout for this one as we continue to see this.  There is a
bleeding edge snort rule for bestfriends.scr.

If you notice traffic going to 209.152.177.208, you probably have
infected hosts on your network.

This malware spreads via AIM (embedded URL in away message) and drops
AgoBot/GoaBot/*Bot on the victim's host. There are several strains going
around.

More info can be found at http://www.jayloden.com/BestFriends.htm

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

bestfriends.scr/*Bot Mark Wilson (Feb 08)
- <Possible follow-ups>
- Re: bestfriends.scr/*Bot Wood, Anne M (wood) (Feb 10)
- Re: bestfriends.scr/*Bot Mark Wilson (Feb 10)
- Re: bestfriends.scr/*Bot Gary Flynn (Feb 10)
- Re: bestfriends.scr/*Bot Jeff Kell (Feb 10)