Snort mailing list archives

Re: pif WORM?

From: Mike Baptiste <mike () baptistefamily net>
Date: Mon, 13 Aug 2001 16:09:09 -0400

Most likely is the SirCam virus - its still making the rounds (I stillget a couple of these emails a day) The attachment is sometimessuffixed with .pif (or .lnk)


http://www.sarc.com/avcenter/venc/data/w32.sircam.worm () mm html

Mike

john.ruff () us abb com wrote:


Anyone have specific deatils rergarding this entry in my ALERT_FULL snort lof
file:

[**] [1:721:1] Virus - Possible pif Worm [**]
08/13-13:24:12.370939 207.217.120.162:110 -> 130.110.95.77:1417
TCP TTL:42 TOS:0x0 ID:63795 IpLen:20 DgmLen:1044
***AP*** Seq: 0xAC838C68  Ack: 0x14BBA  Win: 0xFAF0  TcpLen: 20

[**] [1:729:1] Virus - Possible scr Worm [**]
08/13-13:24:38.676198 207.217.120.162:110 -> 130.110.95.77:1417
TCP TTL:42 TOS:0x0 ID:64225 IpLen:20 DgmLen:1051
***A**** Seq: 0xAC898900  Ack: 0x14CA4  Win: 0xFAF0  TcpLen: 20

Thanks,
John



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

pif WORM? john . ruff (Aug 13)
- Re: pif WORM? Mike Baptiste (Aug 13)
- <Possible follow-ups>
- RE: pif WORM? Anthony Geoffron (Aug 13)
- RE: pif WORM? Hawrylkiw, Dan G (Aug 13)
- RE: pif WORM? Hawrylkiw, Dan G (Aug 13)