Klez sig detects Frethem-Fam

[Detmar Liesen <counter.spy () gmx de>]

Hi again,
granted, I haven't read my sigs mail thoroughly during the past few days, so
maybe this has already been discussed.

We are currently detecting lots of "Klez" worms with our snort, which are in
fact Frethem-Fam worms, so the two seem to be related or derived from each
other.
I can tell this from the AV alerts on our mail gateway.

Question:
Is there any means to distinguish the two from each other?
I'd rather not look for the "password" W8dqwq8q918213 (see reference
in-line)  
since this is likely to change. 
Has anybody created a sig for Frethem already?

Maybe it's no good to create additional signatures for each derived worm,
because this
has negative impact on snort performance. Snort is no AV tool anyway.

What do you recommend regarding worm/virus detection in snort?
Is this something we should leave to the AV software solely?

TIA,
Detmar

Additional Info:
http://www.sophos.com/virusinfo/analyses/w32frethemfam.html

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users