[Dshield] FriendGreetings Worm is back

Jason Allen jallen at garden-city.org
Wed Oct 30 21:27:05 GMT 2002


I agree. Very interesting that impact from admins toward Symantec had an
effect on their handling of the friendgreetings. 

We've update our NavCorp sigs (2 revisions today?? interesting in itself)
and have also blocked the IP at the firewall and just for grins, added MSI
files to our list of blocked attachments in Antigen. 

I appreciate the week long heads-up I got from you guys on this one. We saw
ONE instance of the message on our network, but due to your sharing with us,
I think we've got it whooped. 

JA


-----Original Message-----
From: Russell Washington [mailto:russ.washington at vaultsentry.com]
Sent: Wednesday, October 30, 2002 12:02 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] FriendGreetings Worm is back


http://www.msnbc.com/news/826033.asp?0dm=L19NT

MSNBC's reporting on this stinks but there's some useful info there.  There
is supposedly a new variant that references cool-downloads.net and/or
cool-downloads.com.  In addition there are two additional nameservers that
have been added to friendgreetings.com according to WHOIS.

We decided to blackhole the Class C ranges corresponding to the nameservers
for friendgreetings.com.  Seems to make it a non-issue.

Also interesting is that Symantec changed its tune on whether they were
going to detect this.

http://securityresponse.symantec.com/avcenter/venc/data/w32.friendgreet.worm
.html

-----Original Message-----
From: Coxe, John B. [mailto:JOHN.B.COXE at saic.com] 
Sent: Wednesday, October 30, 2002 11:02 AM
To: Dshield List (E-mail)
Subject: [Dshield] FriendGreetings Worm is back



Apparently, the URL used for downloads by the worm has become active again.
There are also reports that the downloaded file now has been modified to
circumvent antivirus detection.  FYI, if you are not blocking the source and
depend on A/V protection.

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal 
- For more information please visit www.nwtechusa.com
#####################################################################################




More information about the list mailing list