[Dshield] FriendGreetings Worm is back

Russell Washington russ.washington at vaultsentry.com
Fri Nov 1 15:39:41 GMT 2002


Typo on my part.  The second octet should be 165 as you picked up.

Thanks for catching that..!

-----Original Message-----
From: Bob Savage [mailto:bsavage at rnr-inc.com] 
Sent: Thursday, October 31, 2002 9:24 AM
To: list at dshield.org
Subject: RE: [Dshield] FriendGreetings Worm is back


Hmmm.  I have it as 12.165.116.0/24 (note 165, not 65), Blue Fox Media,
located at the same address in Utah as Free Yankee, 65.89.168.0/24. Both
Free Yankee and Blue Fox show up in searches on cool-download.com,
friendlygreeting, etc.  Not completely sure I'm right with the first IP
number, but it seems to fit together.  Maybe both (12.65.116.0/24 AND
12.165.116.0/24 are correct.  Feedback?

Bob Savage


-----Original Message-----
From: Russell Washington [mailto:russ.washington at vaultsentry.com]
Sent: Thursday, October 31, 2002 9:18 AM
To: 'list at dshield.org'
Subject: RE: [Dshield] FriendGreetings Worm is back


You're evil.  I like it. :)

12.65.116.0/24 - contains newly-added nameservers for www
.friendgreetings.com 65.89.168.0/24 - contains primary & secondary
nameservers for www .friendgreetings.com, www .friendgreetings.com itself,
some mystery address that the install process talks to (download site?), www
.cool-downloads.net, and www .cool-downloads.com.

You can verify this stuff using nslookup/dig and WHOIS info.  Of course, if
you spoof the DNS as described, it won't matter :)

-----Original Message-----
From: Richard Roy [mailto:RoyR at justicetrax.com] 
Sent: Thursday, October 31, 2002 6:36 AM
To: list at dshield.org
Subject: RE: [Dshield] FriendGreetings Worm is back


does anyone have the ip(s) to block?  I would also like to reconfig my dns
to remap it to say...  www.gettowork.com so when my users go there they get
the message!  ;-)


-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora at phra.com]
Sent: Wednesday, October 30, 2002 6:37 PM
To: list at dshield.org
Subject: [Dshield] FriendGreetings Worm is back


FriendGreetings invitation messages have been trickling in here all
afternoon.

Proof that "no download" policies should be enforced in the workplace. And
maybe a good argument for having qualification tests before allowing folks
to have an electronic contact list.

Symantec's writeup at
http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html
pretty well lays it out: "Payload Trigger: Accept two End User License
Agreements ". How can AV products possibly protect against this kind of
reckless user behavior?

And how can AV vendors hope to win the legal shoving contest that will
inevitably come from them blocking software with clear EULAs authorizing the
behavior of the installed product? This stuff is not buried in the fine
print or legalese - the software installation process makes it very clear
what it will do, and gives the user plenty of chances to abort the install.

I hate FriendGreetings and I'll block them through every available means,
but I can't say that they have done anything any worse to anyone than the
Honor System Virus does.

Gotta go. I wanna see my e-cards.

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list