[Dshield] RE: FriendGreetings Worm is back

James C Slora Jr Jim.Slora at phra.com
Thu Oct 31 17:28:23 GMT 2002


Friendgreetings sites best as I can tell last time I checked were:
Web sites: *.friendgreetings.com
Web sites: *.cool-downloads.com
Web sites: *.cool-downloads.net
IP addresses: 65.89.168.0-65.89.168.255 (cool-downloads.* class C - www,
dns, etc)
IP addresses: 207.21.232.0-207.21.232.255 (friendgreetings.com class C)
IP addresses: 12.165.116.0-12.165.116.255 (HostPanama nameservers and
infrastructure)

Plus subject blocking, content filtering, etc.

These are just band-aid measures. The download site could change daily, and
the message subject and text could just as easily be changed. The success of
this perfectly legal social engineering worm will certainly not go unnoticed
by other unscrupulous sites.

Richard Roy wrote Thu, 31 Oct 2002 07:35:31 -0700

> does anyone have the ip(s) to block?  I would also like to
> reconfig my dns to remap it to say...  www.gettowork.com so when
> my users go there they get the message!  ;-)




More information about the list mailing list