[Dshield] FriendGreetings Worm is back

Bob Savage bsavage at rnr-inc.com
Thu Oct 31 17:24:11 GMT 2002


Hmmm.  I have it as 12.165.116.0/24 (note 165, not 65), Blue Fox Media,
located at the same address in Utah as Free Yankee, 65.89.168.0/24.
Both Free Yankee and Blue Fox show up in searches on cool-download.com,
friendlygreeting, etc.  Not completely sure I'm right with the first IP
number, but it seems to fit together.  Maybe both (12.65.116.0/24 AND
12.165.116.0/24 are correct.  Feedback?

Bob Savage


-----Original Message-----
From: Russell Washington [mailto:russ.washington at vaultsentry.com]
Sent: Thursday, October 31, 2002 9:18 AM
To: 'list at dshield.org'
Subject: RE: [Dshield] FriendGreetings Worm is back


You're evil.  I like it. :)

12.65.116.0/24 - contains newly-added nameservers for www
.friendgreetings.com
65.89.168.0/24 - contains primary & secondary nameservers for www
.friendgreetings.com, www .friendgreetings.com itself, some mystery
address
that the install process talks to (download site?), www
.cool-downloads.net,
and www .cool-downloads.com.

You can verify this stuff using nslookup/dig and WHOIS info.  Of course,
if
you spoof the DNS as described, it won't matter :)

-----Original Message-----
From: Richard Roy [mailto:RoyR at justicetrax.com] 
Sent: Thursday, October 31, 2002 6:36 AM
To: list at dshield.org
Subject: RE: [Dshield] FriendGreetings Worm is back


does anyone have the ip(s) to block?  I would also like to reconfig my
dns
to remap it to say...  www.gettowork.com so when my users go there they
get
the message!  ;-)


-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora at phra.com]
Sent: Wednesday, October 30, 2002 6:37 PM
To: list at dshield.org
Subject: [Dshield] FriendGreetings Worm is back


FriendGreetings invitation messages have been trickling in here all
afternoon.

Proof that "no download" policies should be enforced in the workplace.
And
maybe a good argument for having qualification tests before allowing
folks
to have an electronic contact list.

Symantec's writeup at
http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html
pretty well lays it out: "Payload Trigger: Accept two End User License
Agreements ". How can AV products possibly protect against this kind of
reckless user behavior?

And how can AV vendors hope to win the legal shoving contest that will
inevitably come from them blocking software with clear EULAs authorizing
the
behavior of the installed product? This stuff is not buried in the fine
print or legalese - the software installation process makes it very
clear
what it will do, and gives the user plenty of chances to abort the
install.

I hate FriendGreetings and I'll block them through every available
means,
but I can't say that they have done anything any worse to anyone than
the
Honor System Virus does.

Gotta go. I wanna see my e-cards.

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list