[Snort-sigs] w32/hybris-gen at ...23... worm sigs

Steve Halligan agent33 at ...22...
Thu Dec 14 14:04:54 EST 2000


Here are a couple of sigs for a new worm that is going around out there.
The content seems to be correct.  Three different individuals "kindly" sent
this worm to me independently and the strange content type statement was in
all of them.  Correct me if I am wrong...



alert top any any -> $HOME_NET 25 (msg: "VIRUS - Possible incoming
W32-hybris.gen at ...23... worm; content:"boundary=\"--VE"; nocase;)

alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Possible outgoing
W32-hybris.gen at ...23... worm; content:"boundary=\"--VE"; nocase;)


here are the headers for the 3 messages I got:

----------example one------------
Received: from pavilion (some.infected.computer.com [xx.yy.zz.aa]) by
my.mailserver.com SMTP 
	id XA0YAF4P; Mon, 11 Dec 2000 19:10:47 -0600
From: Hahaha <hahaha at ...24...>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEF8TYV89M3WTQVGLUZ"

----VEF8TYV89M3WTQVGLUZ
Content-Type: text/plain; charset="us-ascii"

----VEF8TYV89M3WTQVGLUZ
Content-Type: application/octet-stream; name="sexy virgin.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sexy virgin.scr"

----VEF8TYV89M3WTQVGLUZ--

---------example two--------------
Received: from oemcomputer (some.infected.computer.com [xx.yy.zz.aa]) by
my.mailserver.com SMTP)
	id XA0YABVC; Mon, 4 Dec 2000 12:53:59 -0600
From: Hahaha <hahaha at ...24...>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--VEN4HQNG9AJ4HEZ8PIBG5YB8L2N81QVWH"

----VEN4HQNG9AJ4HEZ8PIBG5YB8L2N81QVWH
Content-Type: text/plain; charset="us-ascii"

----VEN4HQNG9AJ4HEZ8PIBG5YB8L2N81QVWH
Content-Type: application/octet-stream; name="midgets.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="midgets.scr"

----VEN4HQNG9AJ4HEZ8PIBG5YB8L2N81QVWH--

----------example three----------------
Received: from server
(some.infected.computer.in.boliva.I.dont.know.anyone.there.wierd.com
[xx.yy.zz.aa]) by my.mailserver.com SMTP) 
	id Y5TMBBVA; Thu, 14 Dec 2000 10:10:59 -0600
From: Hahaha <hahaha at ...24...>
Subject: Enanito si, pero con que pedazo!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEJG9E7SDMR"

----VEJG9E7SDMR
Content-Type: text/plain; charset="us-ascii"

----VEJG9E7SDMR
Content-Type: application/octet-stream; name="enano.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="enano.exe"

----VEJG9E7SDMR--
	id Y5TMBBVA; Thu, 14 Dec 2000 10:10:59 -0600
From: Hahaha <hahaha at ...24...>
Subject: Enanito si, pero con que pedazo!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEJG9E7SDMR"

----VEJG9E7SDMR
Content-Type: text/plain; charset="us-ascii"

----VEJG9E7SDMR
Content-Type: application/octet-stream; name="enano.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="enano.exe"

----VEJG9E7SDMR--

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20001214/9c328fb3/attachment.html>


More information about the Snort-sigs mailing list