Snort mailing list archives

Previous By Date Next
Previous By Thread Next

W32.Bugbear.B@mm signature

From: CGhercoias () TWEC COM
Date: Fri, 6 Jun 2003 10:44:55 -0400
Hello all,

In case anyone is interested I created the definitions for W32.Bugbear.B@mm.

I took the payload data from Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm htm
l
and it seems that they are good.
I might be wrong and please let me know about your experience with them.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<DATA SKIPS>>>>>>>>>>>>>>>>>>>>>>>>>>
alert tcp any any -> any 25 ( sid: 1000005; rev: 3; msg: "BugBear B SMTP
Worm Propagation"; flow: to_server,established; content:
"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA"; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 139 ( sid: 1000006; rev: 4; msg: "BugBear B Network
Worm Propagation"; flow: to_server,established; content:
"555058300000000000E0060000100000"; content:
"0B010600002001000010000000E006002001080000F00600001008000000400000100000000
2"; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000007; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|p|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000008; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|e|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000009; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|f|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000010; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|s|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000011; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|c|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000012; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|o|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000013; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|k|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000014; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|d|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000015; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|r|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000016; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|h|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000017; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|i|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000018; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|z|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000019; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|y|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000020; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|t|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;
classtype: trojan-activity;)

Thank you, 
___________________________
Catalin Ghercoias 
Web/Security System Administrator 

website: http://www.fye.com 
The content of this communication is classified as Transworld Entertainment
Confidential and Proprietary Information.The content of this communication
is intended solely for the use of the individual or entity to whom it is
addressed and others authorized to receive it. If you are not the intended
recipient you are hereby notified that any disclosure, copying, distribution
or taking any action in reliance on the contents of this information is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to this
communication then delete it from your system. We appreciate your assistance
in preserving the confidentiality of our correspondence. Thank you.


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: