Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange ICMP traffic. Perhaps a worm?

From: Jim Brown <jpb () sixshooter v6 thrupoint net>
Date: Tue, 16 Dec 2003 20:29:06 -0500
* adam.w.hogan <adam.w.hogan () delphi com> [2003-12-15 11:02]:


A lot of those alerts indicates the Nachi/Welchia worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

-----Original Message-----
From: Harry M [mailto:harrym () the-group org]
Sent: Thursday, December 11, 2003 6:01 PM
To: snort-users
Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm?


I'm getting lots of ICMP traffic that looks pretty odd to me. They are all
ping packets with a fairly strange payload:

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................



This is a recon for Nachi/Welcia.  You should read:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html 
http://vil.nai.com/vil/content/v_100559.htm 
http://www.microsoft.com/technet/security/virus/alerts/nachi.asp . 

Best Regards,
jpb
===



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: