Educause Security Discussion mailing list archives
Re: bestfriends.scr AIM virus
From: Jason Richardson <A00JER2 () WPO CSO NIU EDU>
Date: Tue, 25 Jan 2005 11:46:26 -0600
We haven't seen it spreading via AIM but I don't know that it hasn't. Interestingly we saw it spread on our resnet using ports 135 and 139 but not 445. The relatively minor spread on our network admin network was exclusively port 445. I don't know if this is the beast but it looks like it or similar - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAGOBOT%2EAGK . Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
wilsodm () AUBURN EDU 1/24/2005 11:37:55 AM >>>
Jason, I posted the original message and you are correct, the subject is misleading. It is a SDBot/GoaBot varient but from what I understand, it spreads via AIM. This is typical to what we have seen: 18:29:04.404272 64.12.24.216.5190 > 131.204.x.x.4595: P 1897733867:1897734053(186) ack 2532983572 win 16384 (DF) . . . 0x0080 41f2 8c68 0003 001f 7465 7874 2f61 6f6c A..h....text/aol 0x0090 7274 663b 2063 6861 7273 6574 3d22 7573 rtf;.charset="us 0x00a0 2d61 7363 6969 2200 0400 374f 4d47 204c -ascii"...7OMG.L 0x00b0 4f4f 4b20 6874 7470 3a2f 2f77 7777 2e65 OOK.http://www.e 0x00c0 6d61 6c69 612e 6e65 742f 6265 7374 6672 malia.net/bestfr 0x00d0 6965 6e64 732e 7363 7220 3f21 2121 3f3f iends.scr.?!!!?? Snort Rules: alert tcp $EXTERNAL_NET 5190 -> any any ( sid: 131204042; rev: 4; msg: "LOCAL - Bestfriends.scr"; content: "http"; nocase; content: "bestfriends.scr"; within: 80; nocase;) alert tcp $HOME_NET any -> any 5190 ( sid: 131204043; rev: 5; msg: "LOCAL - Bestfriends.scr Outbound"; content: "http"; nocase; content: "bestfriends.scr"; within: 80; nocase;) Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
A00JER2 () WPO CSO NIU EDU 1/24/2005 7:50:11 AM >>>
Thanks for giving it a name because I don't think that this is the virus named in the subject line for this thread - it acts like a Sdbot/Gaobot variant. I've been blocking infected student PCs all weekend. Our count is upwards of 50 now which isn't as bad as say Nachi/Welchia but it's pretty bad. I've seen port 135 and 139 but mostly 135. So far our admin network has been spared. Thanks, --- Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
brooksje () LONGWOOD EDU 1/24/2005 7:23:28 AM >>>
Late Friday, we found the same things. McAfee declared it to be W32/Sdbot.worm.gen.j. The file date/time stamp was Friday at 10:45 AM. The Network Engineer noticed the 139 probes start at 11:00. The executable was in the %SYSTEM32% folder named something like f1r3fox.exe. Jason Brooks -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Richardson Sent: Friday, January 21, 2005 6:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virus Just blocked about 20 machines doing the same thing on our Res Net - all port 139. --- Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
Correction: it was port 139. Started at 11:00 AM Eastern today. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks Sent: Friday, January 21, 2005 1:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virus Do you know if this one has any other characteristics to watch for? We caught a dramatic increase in port 135 scans originating from the RESNET this morning. Before today, all was quiet, so I'm wondering if there might be a connection. Thanks, Jason Brooks Jason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson Sent: Friday, January 21, 2005 11:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] bestfriends.scr AIM virus Be on the lookout for this one as we are seeing a lot of this. There is a snort rule for it. If you notice traffic going to 81.91.66.220, you probably have infected hosts. There are several strains going around as we have had to update McAfee 3 times. More info can be found at http://www.jayloden.com/BestFriends.htm Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: bestfriends.scr AIM virus, (continued)
- Re: bestfriends.scr AIM virus Brock, Adam (Jan 22)
- Re: bestfriends.scr AIM virus RLVaughn (Jan 22)
- Re: bestfriends.scr AIM virus H. Morrow Long (Jan 22)
- Re: bestfriends.scr AIM virus Peter Moody (Jan 22)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Jeff Kell (Jan 23)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 24)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 25)