Snort mailing list archives

Re: W32.Badtrans.B@mm

From: John Sage <jsage () finchhaven com>
Date: Tue, 27 Nov 2001 08:40:40 -0800

No:  that's only going to do the *.scr variation, isn't is..

erp..

"The second extension that is appended to the file name is one of thefollowing: .pif .scr..."



This from:

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b () mm html


- John

John Sage wrote:

Brad:

This seems to be doing it for me:

alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm";
 content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)

This is in virus.rules in the 1.8.2 build 86 *nix release..


Results:

[**] Virus - Possible scr Worm [**]
11/25-09:24:33.110806 216.21.229.220:110 -> 12.82.129.39:63728
TCP TTL:50 TOS:0x0 ID:60154 IpLen:20 DgmLen:1014 DF
***AP*** Seq: 0x735E1172  Ack: 0xE8893930  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 50653281 30268773
2D 2D 3D 3D 3D 3D 5F 41 42 43 30 39 38 37 36 35  --====_ABC098765
34 33 32 31 44 45 46 5F 3D 3D 3D 3D 2D 2D 0D 0A  4321DEF_====--..
0D 0A 2D 2D 3D 3D 3D 3D 5F 41 42 43 31 32 33 34  ..--====_ABC1234
35 36 37 38 39 30 44 45 46 5F 3D 3D 3D 3D 0D 0A  567890DEF_====..
43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 75  Content-Type: au
64 69 6F 2F 78 2D 77 61 76 3B 0D 0A 09 20 6E 61  dio/x-wav;... na
6D 65 3D 22 6E 65 77 73 5F 64 6F 63 2E 44 4F 43  me="news_doc.DOC
2E 73 63 72 22 0D 0A 43 6F 6E 74 65 6E 74 2D 54  .scr"..Content-T
72 61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67  ransfer-Encoding
3A 20 62 61 73 65 36 34 0D 0A 43 6F 6E 74 65 6E  : base64..Conten
74 2D 49 44 3A 20 3C 45 41 34 44 4D 47 42 50 39  t-ID: <EA4DMGBP9
70 3E 0D 0A 0D 0A 54 56 71 51 41 41 4D 41 41 41  p>....TVqQAAMAAA
41 45 41 41 41 41 2F 2F 38 41 41 4C 67 41 41 41  AEAAAA//8AALgAAA

<snip>




bthaler () webstream net wrote:

Does anyone have a rule for the new W32.Badtrans.B@mm virus going around?
I'm getting flooded with it, and was hoping to be able to keep trackof it.





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

W32.Badtrans.B@mm bthaler (Nov 27)
- Re: W32.Badtrans.B@mm John Sage (Nov 27)
  - Re: W32.Badtrans.B@mm John Sage (Nov 27)
  - Re: W32.Badtrans.B@mm Tom Fischer (Nov 27)