Snort mailing list archives
Fizzer Virus Signature
From: "Jeremy Junginger" <jj () act com>
Date: Tue, 13 May 2003 10:09:08 -0700
Has anyone written a signature for the Fizzer worm? I found these on Symantec's site, they are written for ManHunt, but they look very much like Snort signatures, plus they load okay (I put them in fizzer.rules). Could you take a look at them and let me know if I'm on the right track?? alert tcp any any -> any any (msg:"W32.HLLW.Fizzer@mm";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f| 00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00| |00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00 |e|00|x|00|e";nocase;) alert udp any any -> any any (msg:"W32.HLLW.Fizzer@mm";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f| 00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00| |00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00 |e|00|x|00|e";nocase;) alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer@mm";content:"AHMAZQByAHYAYwAuAGUAeABl";) alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer@mm";content:"AGwAcwBlAHIAdgBjAC4AZQB4";) alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer@mm";content:"AbABzAGUAcgB2AGMALgBlAHg";) Many Thanks! Also, could someone clarify what's going on with the |00| stuff? I've seen it here and there, but don't really understand it. I can see the obvious "Microsoft R Windows System Init" and "lservc.exe" (which looks strange, because it should be looking for iservc.exe AFAIK. Anyhow, thanks! -Jeremy ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fizzer Virus Signature Jeremy Junginger (May 13)
- <Possible follow-ups>
- Fizzer Virus Signature Jeremy Junginger (May 13)
- Re: Fizzer Virus Signature Chris Keladis (May 14)
- RE: Fizzer Virus Signature L. Christopher Luther (May 13)
- RE: Fizzer Virus Signature operator (May 14)
- Re: Fizzer Virus Signature Jason Haar (May 14)