Snort mailing list archives
Re: Possible scr worm
From: rottz () securityflaw com
Date: Mon, 20 Aug 2001 09:52:48 -0500
john.ruff () us abb com wrote:
Any idea what might be causing this aler tot be generated? I realize it's POP3 traffic (probably someone's internet mail acct.), but is there something new out there generating these alerts? I've actually got about 3600 of these alerts which just started Saturday(8/18/01). Need more info let me know. [**] [1:729:1] Virus - Possible scr Worm [**] 08/20-10:04:45.515817 216.136.173.10:110 -> xxx.xxx.xx.xx:4062 TCP TTL:49 TOS:0x0 ID:2259 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x878CAF66 Ack: 0x2AE6A993 Win: 0x4470 TcpLen: 20
Its detecting an email with an .scr attachment, which is a windows screensaver extension. Since you got 3,600 of these alerts, I'd be a bit concerned that one of my users was infected. I'd do a complete virus scan of all windows computers that you getting these alerts from. Peter -- rottz at securityflaw dot com Founder of Securityflaw _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible scr worm john . ruff (Aug 20)
- Re: Possible scr worm Erek Adams (Aug 20)
- Re: Possible scr worm rottz (Aug 20)
- <Possible follow-ups>
- Possible scr worm john . ruff (Aug 20)
- Re: Possible scr worm Matthew Collins (Aug 21)
- Re: Possible scr worm john . ruff (Aug 21)
- Re: Possible scr worm Matthew Collins (Aug 21)
- Re: Possible scr worm John Sage (Aug 21)