[Snort-sigs] Primitive signature for Weylah worm

Matt Kettler mkettler at ...189...
Thu Dec 20 14:37:08 EST 2001

I'm sure there's much better signatures and I've not seen this virus live 
yet, but based on some early web information here's a rule that might work. 
This is my first stab at posting a signature, so it likely has numerous 
errors, shortcomings and false positives.

I have a version that tries to detect the delivery to an SMTP server, as 
well as one for it being fetched from a pop server..

alert tcp any any -> any 25 (msg:"possible Welyah smtp"; content:"to Yahoo! 
Mail"; content:"a character set"; nocase;classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"possible Welyah pop3"; content:"to 
Yahoo! Mail"; content:"a character set"; nocase;classtype:misc-activity;)

This is based on information from:

Shortcomings I see:
	1) I'm matching a lot of text, this may be slow..
	2) one string is part of the subject line, the other is part of the body, 
these may well be in separate tcp segments unless you have a stream 
reassembly on.
	3) I think the filename has something to the effect of 
"message.txt                                .pif" in it, but the number of 
spaces is unknown to me since I have not seen this one live yet. This will 
likely make a better signature.

Perhaps this may be a better content pairing (note the spaces):

content:"message.txt "; content:" .pif"

or just:
content:"   .pif"

It is also alleged to copy itself as "Winl0g0n.exe" but I do not know if 
this exists in the binary or not.

More information about the Snort-sigs mailing list