Snort mailing list archives

Re: Re: pif worm

From: pbsarnac () ThoughtWorks com
Date: Wed, 22 Aug 2001 19:50:50 -0500


Generally, there's no reason for pif files to be sent around, except as
vectors for virii.  This rule:

alert tcp any 110 -> any any (msg:"Virus - Possible pif Worm"; content:
".pif"; nocase; sid:721; rev:1;)

triggers any time POP3 traffic has a .pif file attached. Sircam is a good
example of a virus (or worm) that uses this vector, but there are others,
such as the recent MTX worm. (see
http://www.symantec.com/avcenter/venc/data/w95.mtx.html for more info).
This is a generic rule to detect files flying over POP3 email that have a
very good probability of being virii.



                                                                                                                        
       
                    "Mike Klinke"                                                                                       
       
                    <LSOMike () telocity com>              To:     <ballmann () co-de de>                               
             
                    Sent by:                            cc:     <snort-users () lists sourceforge net>                  
          
                    snort-users-admin@lists.sourc       Subject:     [Snort-users] Re: pif worm                         
       
                    eforge.net                                                                                          
       
                                                                                                                        
       
                                                                                                                        
       
                    08/22/2001 07:17 PM                                                                                 
       
                                                                                                                        
       
                                                                                                                        
       




    Hi @ll !!! =)
    Can anyone tell me what the pif worm is? If this in the snort logs:

    Virus - Possible pif Worm: 213.240.167.89:110 -> 213.240.167.93:45417


It's a packet that has ".pif" in it. In my first encounter it turned out to
be a downloaded e-mail containing the SirCam virus before the anti-virus
orgs had scanners available for it.

Regards, Mike Klinke



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

pif worm Bastian Ballmann (Aug 22)
- <Possible follow-ups>
- Re: pif worm Mike Klinke (Aug 22)
  - RE: Re: pif worm James Friesen (Aug 23)
    - Re: Re: pif worm Brian Caswell (Aug 23)
    - RE: Re: pif worm James Friesen (Aug 23)
    - Re: Re: pif worm Jim Forster (Aug 23)
- Re: Re: pif worm pbsarnac (Aug 22)