Educause Security Discussion mailing list archives
Re: bestfriends.scr AIM virus
From: "Brock, Adam" <Adam_Brock () BAYLOR EDU>
Date: Sat, 22 Jan 2005 13:28:47 -0600
We've been seeing activity like this since the start of the school year. Typically it's an exe file in the %system32% folder, and named similar to a legitimate process (ie. "userinnit.exe", "f1r3f0x.exe", "explorar.exe"). Sort the files in system32 by date, and the file should be one of the most recently modified files. Most of the legit files will be modified the last time you installed XP, installed a Service Pack, or did a repair install. The files will also usually put themselves in multiple run keys in the registry (HKCU & HKLM: Run, RunOnce, RunServices, RunServicesOnce). Hope that helps! Adam Brock -- Adam Brock, Student Technology Specialist Baylor University Campus Living & Learning w.254.710.4550 m.254.709.9003 http://www.baylor.edu/resnet http://www.baylor.edu/housing -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks Sent: Friday, January 21, 2005 12:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virus Do you know if this one has any other characteristics to watch for? We caught a dramatic increase in port 135 scans originating from the RESNET this morning. Before today, all was quiet, so I'm wondering if there might be a connection. Thanks, Jason Brooks Jason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson Sent: Friday, January 21, 2005 11:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] bestfriends.scr AIM virus Be on the lookout for this one as we are seeing a lot of this. There is a snort rule for it. If you notice traffic going to 81.91.66.220, you probably have infected hosts. There are several strains going around as we have had to update McAfee 3 times. More info can be found at http://www.jayloden.com/BestFriends.htm Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- bestfriends.scr AIM virus Mark Wilson (Jan 21)
- <Possible follow-ups>
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 21)
- Re: bestfriends.scr AIM virus Anderson, Brandie (Jan 21)
- Re: bestfriends.scr AIM virus Brock, Adam (Jan 22)
- Re: bestfriends.scr AIM virus RLVaughn (Jan 22)
- Re: bestfriends.scr AIM virus H. Morrow Long (Jan 22)
- Re: bestfriends.scr AIM virus Peter Moody (Jan 22)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Jeff Kell (Jan 23)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 24)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 25)