Educause Security Discussion mailing list archives

Re: bestfriends.scr AIM virus

From: "Brock, Adam" <Adam_Brock () BAYLOR EDU>
Date: Sat, 22 Jan 2005 13:28:47 -0600

We've been seeing activity like this since the start of the school year.
Typically it's an exe file in the %system32% folder, and named similar
to a legitimate process (ie. "userinnit.exe", "f1r3f0x.exe",
"explorar.exe").  Sort the files in system32 by date, and the file
should be one of the most recently modified files.  Most of the legit
files will be modified the last time you installed XP, installed a
Service Pack, or did a repair install.  The files will also usually put
themselves in multiple run keys in the registry (HKCU & HKLM: Run,
RunOnce, RunServices, RunServicesOnce).

Hope that helps!

Adam Brock

--
Adam Brock, Student Technology Specialist
Baylor University Campus Living & Learning
w.254.710.4550
m.254.709.9003
http://www.baylor.edu/resnet
http://www.baylor.edu/housing

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
Sent: Friday, January 21, 2005 12:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Do you know if this one has any other characteristics to watch for?  We
caught a dramatic increase in port 135 scans originating from the RESNET
this morning.  Before today, all was quiet, so I'm wondering if there
might
be a connection.

Thanks,
Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
Sent: Friday, January 21, 2005 11:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] bestfriends.scr AIM virus

Be on the lookout for this one as we are seeing a lot of this.  There is
a snort rule for it.

If you notice traffic going to 81.91.66.220, you probably have infected
hosts.

There are several strains going around as we have had to update McAfee
3 times.

More info can be found at http://www.jayloden.com/BestFriends.htm

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

bestfriends.scr AIM virus Mark Wilson (Jan 21)
- <Possible follow-ups>
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 21)
- Re: bestfriends.scr AIM virus Anderson, Brandie (Jan 21)
- Re: bestfriends.scr AIM virus Brock, Adam (Jan 22)
- Re: bestfriends.scr AIM virus RLVaughn (Jan 22)
- Re: bestfriends.scr AIM virus H. Morrow Long (Jan 22)
- Re: bestfriends.scr AIM virus Peter Moody (Jan 22)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Jeff Kell (Jan 23)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 24)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 25)