[Dshield] FriendGreetings Worm is back

Russell Washington russ.washington at vaultsentry.com
Thu Oct 31 15:18:14 GMT 2002


You're evil.  I like it. :)

12.65.116.0/24 - contains newly-added nameservers for www
.friendgreetings.com
65.89.168.0/24 - contains primary & secondary nameservers for www
.friendgreetings.com, www .friendgreetings.com itself, some mystery address
that the install process talks to (download site?), www .cool-downloads.net,
and www .cool-downloads.com.

You can verify this stuff using nslookup/dig and WHOIS info.  Of course, if
you spoof the DNS as described, it won't matter :)

-----Original Message-----
From: Richard Roy [mailto:RoyR at justicetrax.com] 
Sent: Thursday, October 31, 2002 6:36 AM
To: list at dshield.org
Subject: RE: [Dshield] FriendGreetings Worm is back


does anyone have the ip(s) to block?  I would also like to reconfig my dns
to remap it to say...  www.gettowork.com so when my users go there they get
the message!  ;-)


-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora at phra.com]
Sent: Wednesday, October 30, 2002 6:37 PM
To: list at dshield.org
Subject: [Dshield] FriendGreetings Worm is back


FriendGreetings invitation messages have been trickling in here all
afternoon.

Proof that "no download" policies should be enforced in the workplace. And
maybe a good argument for having qualification tests before allowing folks
to have an electronic contact list.

Symantec's writeup at
http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html
pretty well lays it out: "Payload Trigger: Accept two End User License
Agreements ". How can AV products possibly protect against this kind of
reckless user behavior?

And how can AV vendors hope to win the legal shoving contest that will
inevitably come from them blocking software with clear EULAs authorizing the
behavior of the installed product? This stuff is not buried in the fine
print or legalese - the software installation process makes it very clear
what it will do, and gives the user plenty of chances to abort the install.

I hate FriendGreetings and I'll block them through every available means,
but I can't say that they have done anything any worse to anyone than the
Honor System Virus does.

Gotta go. I wanna see my e-cards.

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list