[Dshield] FriendGreetings Worm is back

Russell Washington russ.washington at vaultsentry.com
Wed Oct 30 20:01:31 GMT 2002


MSNBC's reporting on this stinks but there's some useful info there.  There
is supposedly a new variant that references cool-downloads.net and/or
cool-downloads.com.  In addition there are two additional nameservers that
have been added to friendgreetings.com according to WHOIS.

We decided to blackhole the Class C ranges corresponding to the nameservers
for friendgreetings.com.  Seems to make it a non-issue.

Also interesting is that Symantec changed its tune on whether they were
going to detect this.


-----Original Message-----
From: Coxe, John B. [mailto:JOHN.B.COXE at saic.com] 
Sent: Wednesday, October 30, 2002 11:02 AM
To: Dshield List (E-mail)
Subject: [Dshield] FriendGreetings Worm is back

Apparently, the URL used for downloads by the worm has become active again.
There are also reports that the downloaded file now has been modified to
circumvent antivirus detection.  FYI, if you are not blocking the source and
depend on A/V protection.

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list