Snort mailing list archives

Fizzer Virus Signature

From: "Jeremy Junginger" <jj () act com>
Date: Tue, 13 May 2003 10:05:22 -0700

Has anyone written a signature for the Fizzer worm?  I found these on
Symantec's site, they are written for ManHunt, but they look very much
like Snort signatures, plus they load okay (I put them in fizzer.rules).
Could you take a look at them and let me know if I'm on the right
track??

alert tcp any any -> any any
(msg:"W32.HLLW.Fizzer@mm";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|
00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00|
|00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00|
|00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00
|e|00|x|00|e";nocase;)

alert udp any any -> any any
(msg:"W32.HLLW.Fizzer@mm";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|
00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00|
|00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00|
|00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00
|e|00|x|00|e";nocase;)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer@mm";content:"AHMAZQByAHYAYwAuAGUAeABl";)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer@mm";content:"AGwAcwBlAHIAdgBjAC4AZQB4";)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer@mm";content:"AbABzAGUAcgB2AGMALgBlAHg";)

Many Thanks!  Also, could someone clarify what's going on with the |00|
stuff?  I've seen it here and there, but don't really understand it.  I
can see the obvious "Microsoft R Windows System Init" and "lservc.exe"
(which looks strange, because it should be looking for iservc.exe AFAIK.
Anyhow, thanks!

-Jeremy


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Fizzer Virus Signature Jeremy Junginger (May 13)
- <Possible follow-ups>
- Fizzer Virus Signature Jeremy Junginger (May 13)
  - Re: Fizzer Virus Signature Chris Keladis (May 14)
- RE: Fizzer Virus Signature L. Christopher Luther (May 13)
- RE: Fizzer Virus Signature operator (May 14)
  - Re: Fizzer Virus Signature Jason Haar (May 14)