Snort mailing list archives

RE: Fizzer Virus Signature

From: "operator" <operator () email it>
Date: Wed, 14 May 2003 19:01:01 +0200
The first two rules use a header part "alert tcp any any -> any any" (same
for udp) too generic
and at the same time a "content" rule option actually heavy.

I don't want to use these rules, but that's also because no NETBIOS traffic
pass through my
firewall and seems to me that the rules would like to capture this event.

Anyway I add three new lines to my experimental.rules file like:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"W32.HLLW.Fizzer@mm
SMTP Trojan Attempt"; flow:to_server,established;
content:"AHMAZQByAHYAYwAuAGUAeABl";\
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizz
er () mm html; classtype: trojan-activity; sid:1000004; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"W32.HLLW.Fizzer@mm
SMTP Trojan Attempt"; flow:to_server,established;
content:"AGwAcwBlAHIAdgBjAC4AZQB4";\
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizz
er () mm html; classtype: trojan-activity; sid:1000005; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"W32.HLLW.Fizzer@mm
SMTP Trojan Attempt"; flow:to_server,established;
content:"AbABzAGUAcgB2AGMALgBlAHg";\
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizz
er () mm html; classtype: trojan-activity; sid:1000006; rev:1;)

Any comment?

Maxx

----- Original Message -----
From: "Jeremy Junginger" <jj () act com>
To: <Snort-users () lists sourceforge net>
Sent: Tuesday, May 13, 2003 7:05 PM
Subject: [Snort-users] Fizzer Virus Signature


Has anyone written a signature for the Fizzer worm?  I found these on
Symantec's site, they are written for ManHunt, but they look very much
like Snort signatures, plus they load okay (I put them in fizzer.rules).
Could you take a look at them and let me know if I'm on the right
track??

alert tcp any any -> any any
(msg:"W32.HLLW.Fizzer@mm";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|
00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00|
|00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00|
|00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00
|e|00|x|00|e";nocase;)

alert udp any any -> any any
(msg:"W32.HLLW.Fizzer@mm";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|
00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00|
|00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00|
|00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00
|e|00|x|00|e";nocase;)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer@mm";content:"AHMAZQByAHYAYwAuAGUAeABl";)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer@mm";content:"AGwAcwBlAHIAdgBjAC4AZQB4";)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer@mm";content:"AbABzAGUAcgB2AGMALgBlAHg";)

Many Thanks!  Also, could someone clarify what's going on with the |00|
stuff?  I've seen it here and there, but don't really understand it.  I
can see the obvious "Microsoft R Windows System Init" and "lservc.exe"
(which looks strange, because it should be looking for iservc.exe AFAIK.
Anyhow, thanks!

-Jeremy


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Interessi alti, massima libertà. È Conto Arancio di ING Direct.
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=660&d=14-5


--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Un regalo unico e speciale, REGALA UNA STELLA, avrai il certificato di
proprietà e la mappa per localizzarla nella galassia. La trovi su www.regali.it
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1497&d=14-5


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Fizzer Virus Signature Jeremy Junginger (May 13)
- <Possible follow-ups>
- Fizzer Virus Signature Jeremy Junginger (May 13)
  - Re: Fizzer Virus Signature Chris Keladis (May 14)
- RE: Fizzer Virus Signature L. Christopher Luther (May 13)
- RE: Fizzer Virus Signature operator (May 14)
  - Re: Fizzer Virus Signature Jason Haar (May 14)