Re: bestfriends.scr AIM virus

[Jason Richardson <A00JER2 () WPO CSO NIU EDU>]

We haven't seen it spreading via AIM but I don't know that it hasn't.
Interestingly we saw it spread on our resnet using ports 135 and 139 but
not 445.  The relatively minor spread on our network admin network was
exclusively port 445. I don't know if this is the beast but it looks
like it or similar -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAGOBOT%2EAGK
.

Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > wilsodm () AUBURN EDU 1/24/2005 11:37:55 AM >>>
Jason,
I posted the original message and you are correct, the subject is
misleading.  It is a SDBot/GoaBot varient but from what I understand,
it
spreads via AIM.

This is typical to what we have seen:
18:29:04.404272 64.12.24.216.5190 > 131.204.x.x.4595: P
1897733867:1897734053(186) ack 2532983572 win 16384 (DF)
.
.
.
0x0080   41f2 8c68 0003 001f 7465 7874 2f61 6f6c
A..h....text/aol
0x0090   7274 663b 2063 6861 7273 6574 3d22 7573
rtf;.charset="us
0x00a0   2d61 7363 6969 2200 0400 374f 4d47 204c
-ascii"...7OMG.L
0x00b0   4f4f 4b20 6874 7470 3a2f 2f77 7777 2e65
OOK.http://www.e
0x00c0   6d61 6c69 612e 6e65 742f 6265 7374 6672
malia.net/bestfr
0x00d0   6965 6e64 732e 7363 7220 3f21 2121 3f3f
iends.scr.?!!!??

Snort Rules:
alert tcp $EXTERNAL_NET 5190 -> any any ( sid: 131204042; rev: 4; msg:
"LOCAL - Bestfriends.scr"; content: "http"; nocase; content:
"bestfriends.scr"; within: 80; nocase;)
alert tcp $HOME_NET any -> any 5190 ( sid: 131204043; rev: 5; msg:
"LOCAL - Bestfriends.scr Outbound"; content: "http"; nocase; content:
"bestfriends.scr"; within: 80; nocase;)



Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

> > > A00JER2 () WPO CSO NIU EDU 1/24/2005 7:50:11 AM >>>
Thanks for giving it a name because I don't think that this is the
virus
named in the subject line for this thread - it acts like a
Sdbot/Gaobot
variant.  I've been blocking infected student PCs all weekend.  Our
count is upwards of 50 now which isn't as bad as say Nachi/Welchia but
it's pretty bad.  I've seen port 135 and 139 but mostly 135.  So far
our
admin network has been spared.

Thanks,

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > brooksje () LONGWOOD EDU 1/24/2005 7:23:28 AM >>>
Late Friday, we found the same things.  McAfee declared it to be
W32/Sdbot.worm.gen.j.  The file date/time stamp was Friday at 10:45
AM.
 The
Network Engineer noticed the 139 probes start at 11:00.  The
executable
was
in the %SYSTEM32% folder named something like f1r3fox.exe.

Jason Brooks

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Richardson
Sent: Friday, January 21, 2005 6:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Just blocked about 20 machines doing the same thing on our Res Net -
all
port 139.

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
Correction: it was port 139.  Started at 11:00 AM Eastern today.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
Sent: Friday, January 21, 2005 1:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Do you know if this one has any other characteristics to watch for?
We
caught a dramatic increase in port 135 scans originating from the
RESNET
this morning.  Before today, all was quiet, so I'm wondering if there
might
be a connection.

Thanks,
Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
Sent: Friday, January 21, 2005 11:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] bestfriends.scr AIM virus

Be on the lookout for this one as we are seeing a lot of this.  There
is
a snort rule for it.

If you notice traffic going to 81.91.66.220, you probably have
infected
hosts.

There are several strains going around as we have had to update McAfee
3 times.

More info can be found at http://www.jayloden.com/BestFriends.htm

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.