Snort mailing list archives
Klez sig detects Frethem-Fam
From: Detmar Liesen <counter.spy () gmx de>
Date: Tue, 16 Jul 2002 15:33:23 +0200 (MEST)
Hi again, granted, I haven't read my sigs mail thoroughly during the past few days, so maybe this has already been discussed. We are currently detecting lots of "Klez" worms with our snort, which are in fact Frethem-Fam worms, so the two seem to be related or derived from each other. I can tell this from the AV alerts on our mail gateway. Question: Is there any means to distinguish the two from each other? I'd rather not look for the "password" W8dqwq8q918213 (see reference in-line) since this is likely to change. Has anybody created a sig for Frethem already? Maybe it's no good to create additional signatures for each derived worm, because this has negative impact on snort performance. Snort is no AV tool anyway. What do you recommend regarding worm/virus detection in snort? Is this something we should leave to the AV software solely? TIA, Detmar Additional Info: http://www.sophos.com/virusinfo/analyses/w32frethemfam.html -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Klez sig detects Frethem-Fam Detmar Liesen (Jul 16)
- Re: Klez sig detects Frethem-Fam Shane Williams (Jul 16)
- Re: Klez - Detect MIME- and IFRAME exploit Kistler Ueli (Jul 16)
- Re: Klez sig detects Frethem-Fam Shane Williams (Jul 16)