Educause Security Discussion mailing list archives
Re: bestfriends.scr AIM virus
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Mon, 24 Jan 2005 11:37:55 -0600
Jason, I posted the original message and you are correct, the subject is misleading. It is a SDBot/GoaBot varient but from what I understand, it spreads via AIM. This is typical to what we have seen: 18:29:04.404272 64.12.24.216.5190 > 131.204.x.x.4595: P 1897733867:1897734053(186) ack 2532983572 win 16384 (DF) . . . 0x0080 41f2 8c68 0003 001f 7465 7874 2f61 6f6c A..h....text/aol 0x0090 7274 663b 2063 6861 7273 6574 3d22 7573 rtf;.charset="us 0x00a0 2d61 7363 6969 2200 0400 374f 4d47 204c -ascii"...7OMG.L 0x00b0 4f4f 4b20 6874 7470 3a2f 2f77 7777 2e65 OOK.http://www.e 0x00c0 6d61 6c69 612e 6e65 742f 6265 7374 6672 malia.net/bestfr 0x00d0 6965 6e64 732e 7363 7220 3f21 2121 3f3f iends.scr.?!!!?? Snort Rules: alert tcp $EXTERNAL_NET 5190 -> any any ( sid: 131204042; rev: 4; msg: "LOCAL - Bestfriends.scr"; content: "http"; nocase; content: "bestfriends.scr"; within: 80; nocase;) alert tcp $HOME_NET any -> any 5190 ( sid: 131204043; rev: 5; msg: "LOCAL - Bestfriends.scr Outbound"; content: "http"; nocase; content: "bestfriends.scr"; within: 80; nocase;) Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
A00JER2 () WPO CSO NIU EDU 1/24/2005 7:50:11 AM >>>
Thanks for giving it a name because I don't think that this is the virus named in the subject line for this thread - it acts like a Sdbot/Gaobot variant. I've been blocking infected student PCs all weekend. Our count is upwards of 50 now which isn't as bad as say Nachi/Welchia but it's pretty bad. I've seen port 135 and 139 but mostly 135. So far our admin network has been spared. Thanks, --- Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
brooksje () LONGWOOD EDU 1/24/2005 7:23:28 AM >>>
Late Friday, we found the same things. McAfee declared it to be W32/Sdbot.worm.gen.j. The file date/time stamp was Friday at 10:45 AM. The Network Engineer noticed the 139 probes start at 11:00. The executable was in the %SYSTEM32% folder named something like f1r3fox.exe. Jason Brooks -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Richardson Sent: Friday, January 21, 2005 6:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virus Just blocked about 20 machines doing the same thing on our Res Net - all port 139. --- Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
Correction: it was port 139. Started at 11:00 AM Eastern today. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks Sent: Friday, January 21, 2005 1:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virus Do you know if this one has any other characteristics to watch for? We caught a dramatic increase in port 135 scans originating from the RESNET this morning. Before today, all was quiet, so I'm wondering if there might be a connection. Thanks, Jason Brooks Jason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson Sent: Friday, January 21, 2005 11:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] bestfriends.scr AIM virus Be on the lookout for this one as we are seeing a lot of this. There is a snort rule for it. If you notice traffic going to 81.91.66.220, you probably have infected hosts. There are several strains going around as we have had to update McAfee 3 times. More info can be found at http://www.jayloden.com/BestFriends.htm Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
Mark Wilson.vcf
Description:
Current thread:
- Re: bestfriends.scr AIM virus, (continued)
- Re: bestfriends.scr AIM virus Anderson, Brandie (Jan 21)
- Re: bestfriends.scr AIM virus Brock, Adam (Jan 22)
- Re: bestfriends.scr AIM virus RLVaughn (Jan 22)
- Re: bestfriends.scr AIM virus H. Morrow Long (Jan 22)
- Re: bestfriends.scr AIM virus Peter Moody (Jan 22)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Jeff Kell (Jan 23)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 24)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 25)