Snort mailing list archives

RE: Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R?

From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 29 Jan 2004 09:28:53 -0800 (PST)

Hello Dr. Martin,
I don't believe that rule would work at all unless the
message misspells "respresented" Hehe..

BTW, SCO is already report a DoS of their site due to
this worm and are offering a $250,000 reward for the
worm writers and it is not Feb. 1 yet!

I just finished an email that addressed the new worm
rules which basically stated that I used the existing
"VIRUS OUTBOUND .pif/.scr file attachment" rules to
find out who had it here, and it worked flawlessly.
Good luck.

Cheese!

Marc

---------------------Original
Message------------------
Message: 5
Subject: RE: [Snort-users] Re: [Snort-sigs] New Worm /
Virus - WORM_MIMAIL.R?
Date: Wed, 28 Jan 2004 13:28:13 -0600
From: "Martin Jr., D. Michael"
<martinm () montevallo edu>
To: <sam () neuroflux com>,
        "Joe Stewart" <jstewart () lurhq com>
Cc: <snort-sigs () lists sourceforge net>,
        <snort-users () lists sourceforge net>

The MyDoom/Novarg virus won't start utilizing port 80
until February 1st
when it attempts the denial of service on SCO.com. 
(See other related
email.)  But that does, however, pose an interesting
question...

Does anyone have a signature for detected the actual
infection of
systems?

I have seen this one:
alert tcp any any -> any any (msg:"MyDoom"; content:
"respresented in
7-bit ASCII"; nocase; sid: 1000569; classtype:
Possible-VIRUS;)

BUT, according to NAI
(http://vil.nai.com/vil/content/v_100983.htm) and
Symantec
(http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm
.html) there are many variations on the infection
algorithm.  This one
apparently only looks for SMTP traffic with
"represented in 7-bit ASCII"
in the packet.

Suggestions?


D. Michael Martin, Jr.
Network Administrator
University of Montevallo
-------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Jim Clews (Jan 27)
- <Possible follow-ups>
- RE: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Jim Clews (Jan 27)
- RE: Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Martin Jr., D. Michael (Jan 28)
  - Here are my updated MyDoom/MIMAIL.R and Variant signatures for Snort sam (Jan 28)
- RE: Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? SN ORT (Feb 02)