Re: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email?

[falcon () secureconsulting net]

Has anybody developed a good IDS sig for catching the traffic?  AV vendors
don't seem to care about the network analysis of the traffic.  If anybody
has a completed nw analysis and ideas for a sig, would love to see it,
save myself some work. ;)

> Ok, after sorting through about 30 messages that all point out that AV
> vendors have signatures for the virus, I am rejecting all of them.
>
> In summary:  There is a fast spreading worm, write-ups are available at
> your preferred AV site, and I would prefer that discussion about this, on
> this list, should confine itself to the resulting implications of the worm
> (proxies, etc), rather than stopping it at the SMTP gateway or cleaning it
> from systems.
>
> D
>
> On Tue, 27 Jan 2004, Nigel Frankcom wrote:
>
> > Hi All,
> >
> > Over the last 2 hours our mail servers have seen a dramatic rise in
> > Mydoom virus emails.
> >
> > So far neither Panda nor McAfee are detecting it - tho the following
> > Content Filter is working for us:
> >
> > *C_o_n_tent-Transfer-Encoding: 7bit* (remove _'s)
> >
> > Subject seems to morph as each new wave is released.
> >
> > Most connections *seem* to be from private machines.
> >
> > Numbers are rising.
> >
> > Regards
> >
> > Nigel
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------