Snort mailing list archives
RE: Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R?
From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 29 Jan 2004 09:28:53 -0800 (PST)
Hello Dr. Martin, I don't believe that rule would work at all unless the message misspells "respresented" Hehe.. BTW, SCO is already report a DoS of their site due to this worm and are offering a $250,000 reward for the worm writers and it is not Feb. 1 yet! I just finished an email that addressed the new worm rules which basically stated that I used the existing "VIRUS OUTBOUND .pif/.scr file attachment" rules to find out who had it here, and it worked flawlessly. Good luck. Cheese! Marc ---------------------Original Message------------------ Message: 5 Subject: RE: [Snort-users] Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Date: Wed, 28 Jan 2004 13:28:13 -0600 From: "Martin Jr., D. Michael" <martinm () montevallo edu> To: <sam () neuroflux com>, "Joe Stewart" <jstewart () lurhq com> Cc: <snort-sigs () lists sourceforge net>, <snort-users () lists sourceforge net> The MyDoom/Novarg virus won't start utilizing port 80 until February 1st when it attempts the denial of service on SCO.com. (See other related email.) But that does, however, pose an interesting question... Does anyone have a signature for detected the actual infection of systems? I have seen this one: alert tcp any any -> any any (msg:"MyDoom"; content: "respresented in 7-bit ASCII"; nocase; sid: 1000569; classtype: Possible-VIRUS;) BUT, according to NAI (http://vil.nai.com/vil/content/v_100983.htm) and Symantec (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm .html) there are many variations on the infection algorithm. This one apparently only looks for SMTP traffic with "represented in 7-bit ASCII" in the packet. Suggestions? D. Michael Martin, Jr. Network Administrator University of Montevallo ------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Jim Clews (Jan 27)
- <Possible follow-ups>
- RE: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Jim Clews (Jan 27)
- RE: Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Martin Jr., D. Michael (Jan 28)
- RE: Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? SN ORT (Feb 02)