Re: bestfriends.scr AIM virus

[Jason Richardson <A00JER2 () WPO CSO NIU EDU>]

Thanks for giving it a name because I don't think that this is the virus
named in the subject line for this thread - it acts like a Sdbot/Gaobot
variant.  I've been blocking infected student PCs all weekend.  Our
count is upwards of 50 now which isn't as bad as say Nachi/Welchia but
it's pretty bad.  I've seen port 135 and 139 but mostly 135.  So far our
admin network has been spared.

Thanks,

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > brooksje () LONGWOOD EDU 1/24/2005 7:23:28 AM >>>
Late Friday, we found the same things.  McAfee declared it to be
W32/Sdbot.worm.gen.j.  The file date/time stamp was Friday at 10:45 AM.
 The
Network Engineer noticed the 139 probes start at 11:00.  The executable
was
in the %SYSTEM32% folder named something like f1r3fox.exe.

Jason Brooks

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Richardson
Sent: Friday, January 21, 2005 6:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Just blocked about 20 machines doing the same thing on our Res Net -
all
port 139.

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
Correction: it was port 139.  Started at 11:00 AM Eastern today.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
Sent: Friday, January 21, 2005 1:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Do you know if this one has any other characteristics to watch for?
We
caught a dramatic increase in port 135 scans originating from the
RESNET
this morning.  Before today, all was quiet, so I'm wondering if there
might
be a connection.

Thanks,
Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
Sent: Friday, January 21, 2005 11:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] bestfriends.scr AIM virus

Be on the lookout for this one as we are seeing a lot of this.  There
is
a snort rule for it.

If you notice traffic going to 81.91.66.220, you probably have
infected
hosts.

There are several strains going around as we have had to update McAfee
3 times.

More info can be found at http://www.jayloden.com/BestFriends.htm

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.