Re: WIN2K IRC Trojan

["F.M. Taylor" <root () uranium indstate edu>]

This is what I am currently using to catch them with, but is not as
accurate as I would like.

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667:7000 (msg:"INFO Possible IRC
XDCC"; flags: A+; content: "Total
Offered"; classtype:bad-unknown; sid:9542; rev:2;)

On Fri, 6 Sep 2002, Mike Shaw wrote:

> What are the details on the trojan?  I may have a copy on the way.
>
> -Mike
>
> At 03:53 PM 9/6/2002 -0400, Ian Macdonald wrote:
> > If anyone has any details on how this works please send them to the
> > snort-sigs mailing list so we can write some sigs.
> >
> > Ian
> > ----- Original Message -----
> > From: "F.M. Taylor" <root () uranium indstate edu>
> > To: <snort-users () lists sourceforge net>
> > Sent: Friday, September 06, 2002 3:11 PM
> > Subject: [Snort-users] WIN2K IRC Trojan
> >
> >
> > > Dudez, wtf is up with this trojan/hack/bot/win2k exploit that seems to be
> > > speading itself fairly rapidly.  Is there a sig for this yet?  Does anyone
> > > even know how this thing is being spread??
> > >
> > >
> > > --
> > > Mike Taylor
> > > Coordinator of Systems Administration and Network Security
> > > Indiana State University.               Rankin Hall Rm 053
> > > 210 N 7th St.                           Terre Haute, IN.
> > > SANS GSEC  http://www.sans.org/
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: OSDN - Tired of that same old
> > > cell phone?  Get a new here for FREE!
> > > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Mike Taylor
Coordinator of Systems Administration and Network Security
Indiana State University.               Rankin Hall Rm 053
210 N 7th St.                           Terre Haute, IN.
SANS GSEC  http://www.sans.org/



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users