Re: bestfriends.scr AIM virus

[Mark Wilson <wilsodm () AUBURN EDU>]

Jason,
I posted the original message and you are correct, the subject is
misleading.  It is a SDBot/GoaBot varient but from what I understand, it
spreads via AIM.

This is typical to what we have seen:
18:29:04.404272 64.12.24.216.5190 > 131.204.x.x.4595: P
1897733867:1897734053(186) ack 2532983572 win 16384 (DF)
.
.
.
0x0080   41f2 8c68 0003 001f 7465 7874 2f61 6f6c
A..h....text/aol
0x0090   7274 663b 2063 6861 7273 6574 3d22 7573
rtf;.charset="us
0x00a0   2d61 7363 6969 2200 0400 374f 4d47 204c
-ascii"...7OMG.L
0x00b0   4f4f 4b20 6874 7470 3a2f 2f77 7777 2e65
OOK.http://www.e
0x00c0   6d61 6c69 612e 6e65 742f 6265 7374 6672
malia.net/bestfr
0x00d0   6965 6e64 732e 7363 7220 3f21 2121 3f3f
iends.scr.?!!!??

Snort Rules:
alert tcp $EXTERNAL_NET 5190 -> any any ( sid: 131204042; rev: 4; msg:
"LOCAL - Bestfriends.scr"; content: "http"; nocase; content:
"bestfriends.scr"; within: 80; nocase;)
alert tcp $HOME_NET any -> any 5190 ( sid: 131204043; rev: 5; msg:
"LOCAL - Bestfriends.scr Outbound"; content: "http"; nocase; content:
"bestfriends.scr"; within: 80; nocase;)



Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

> > > A00JER2 () WPO CSO NIU EDU 1/24/2005 7:50:11 AM >>>
Thanks for giving it a name because I don't think that this is the
virus
named in the subject line for this thread - it acts like a
Sdbot/Gaobot
variant.  I've been blocking infected student PCs all weekend.  Our
count is upwards of 50 now which isn't as bad as say Nachi/Welchia but
it's pretty bad.  I've seen port 135 and 139 but mostly 135.  So far
our
admin network has been spared.

Thanks,

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > brooksje () LONGWOOD EDU 1/24/2005 7:23:28 AM >>>
Late Friday, we found the same things.  McAfee declared it to be
W32/Sdbot.worm.gen.j.  The file date/time stamp was Friday at 10:45
AM.
 The
Network Engineer noticed the 139 probes start at 11:00.  The
executable
was
in the %SYSTEM32% folder named something like f1r3fox.exe.

Jason Brooks

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Richardson
Sent: Friday, January 21, 2005 6:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Just blocked about 20 machines doing the same thing on our Res Net -
all
port 139.

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
Correction: it was port 139.  Started at 11:00 AM Eastern today.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
Sent: Friday, January 21, 2005 1:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Do you know if this one has any other characteristics to watch for?
We
caught a dramatic increase in port 135 scans originating from the
RESNET
this morning.  Before today, all was quiet, so I'm wondering if there
might
be a connection.

Thanks,
Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
Sent: Friday, January 21, 2005 11:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] bestfriends.scr AIM virus

Be on the lookout for this one as we are seeing a lot of this.  There
is
a snort rule for it.

If you notice traffic going to 81.91.66.220, you probably have
infected
hosts.

There are several strains going around as we have had to update McAfee
3 times.

More info can be found at http://www.jayloden.com/BestFriends.htm

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: Mark Wilson.vcf
Description: