Snort mailing list archives
Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R?
From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: Mon, 26 Jan 2004 15:01:07 -0800
I don't believe it's a new variant, but rather a whole new virus altogether. But, it's so new nobody really knows much about it. Read about it here. http://vil.nai.com/vil/content/v_100983.htm It's called Mydoom or Dumaruy. Very high risk. We just blocked all .zips until the virus vendors release new definitions/cleaners. Hope your day isn't as hectic as mine because of this damn thing. --Bryan On Mon, 2004-01-26 at 13:42, sam () neuroflux com wrote:
All: We are experiencing what appears to be a new varient of the MIMAIL virus. We've had several machines infected now, and I've created a quick signature: alert tcp any any -> any any (msg: "Test Virus Pattern"; content: "represented in 7-bit ASCII"; nocase; sid:1000569;) The contents of the message, atleast from what we have gathered is this: The subject is: Hi The body, at least once it comes into our exchange server is: represented in 7-bit ASCII The attachments are stored inside an .zip file, but are either .scr, .pif, .exe etc. etc. What we've discovered thus far: * The worm also has its own SMTP engine, and therefore any infected machine started mass mailing to the internet. * We've been on the phone with Symantec and Trend, and they are currently investigating and creating new signatures. * Some of the attachments come in as status.zip. * Thought I'd pass this along incase anyone else is stumped. -Sam ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Worm / Virus - WORM_MIMAIL.R? sam (Jan 26)
- Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Joe Stewart (Jan 28)
- Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? sam (Jan 28)
- Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Bryan Irvine (Jan 28)
- RE: Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Brian Gregorcy (Jan 28)
- Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? sam (Jan 28)
- Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Bryan Irvine (Jan 28)
- <Possible follow-ups>
- RE: New Worm / Virus - WORM_MIMAIL.R? CGhercoias (Jan 27)
- RE: New Worm / Virus - WORM_MIMAIL.R? Brian M. Diehl (Jan 27)
- Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R? Joe Stewart (Jan 28)