Re: bestfriends.scr AIM virus

[Mark Wilson <wilsodm () AUBURN EDU>]

FYI, I have scanned several samples via http://virusscan.jotti.dhs.org/ , and except for the bytesize and maybe the 
port, the below is common:
***********************************************
Sandbox: W32/Malware; [ General information ]

* File length: 33280 bytes. * VARIES

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\F1REF0X.EXE.

[ Changes to registry ]
* Creates value "Mozilla Firefox"="F1REF0X.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Mozilla Firefox"="F1REF0X.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".

[ Network services ]
* Looks for an Internet connection.
* Connects to "81.91.66.220" on port 8080 (TCP). * PORT MAY VARY BUT NOT IP
* Connects to IRC Server.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot 
**********************************************
Evidently there is another such BOT spreading via IM per http://isc.sans.org//index.php 

> > > brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
Correction: it was port 139.  Started at 11:00 AM Eastern today.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
Sent: Friday, January 21, 2005 1:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] bestfriends.scr AIM virus

Do you know if this one has any other characteristics to watch for?  We
caught a dramatic increase in port 135 scans originating from the RESNET
this morning.  Before today, all was quiet, so I'm wondering if there might
be a connection.

Thanks,
Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu 

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
Sent: Friday, January 21, 2005 11:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: [SECURITY] bestfriends.scr AIM virus

Be on the lookout for this one as we are seeing a lot of this.  There is
a snort rule for it.

If you notice traffic going to 81.91.66.220, you probably have infected
hosts.

There are several strains going around as we have had to update McAfee
3 times.

More info can be found at http://www.jayloden.com/BestFriends.htm 

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.