[Snort-sigs] w32/hybris-gen at ...23... worm sigs

Steve Halligan agent33 at ...22...
Fri Jan 5 16:13:34 EST 2001

haha...I couldn't send the message with the example headers.  Foiled by
sourceforges virus scanner...If you want examples, look back at the original
message, or email me directly and I'll send em to ya.

I just noticed that this rule is not in the new beta ruleset, but a rule to
detect the "snow white" worm is.  The snow white worm is the same as this
worm, except the content statement in the snow white rule will not be
triggered by every email generated by this worm.  See
http://vil.mcafee.com/dispVirus.asp?virus_k=98873& for a complete

-----Original Message-----
From: Steve Halligan [mailto:agent33 at ...22...]
Sent: Thursday, December 14, 2000 1:05 PM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] w32/hybris-gen at ...23... worm sigs

Here are a couple of sigs for a new worm that is going around out there.
The content seems to be correct.  Three different individuals "kindly" sent
this worm to me independently and the strange content type statement was in
all of them.  Correct me if I am wrong...

alert top any any -> $HOME_NET 25 (msg: "VIRUS - Possible incoming
W32-hybris.gen at ...23... worm; content:"boundary=\"--VE"; nocase;)
alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Possible outgoing
W32-hybris.gen at ...23... worm; content:"boundary=\"--VE"; nocase;)

here are the headers for the 3 messages I got: 
**removed to get this message by sourceforges virus scanner :) **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20010105/d4731a6a/attachment.html>

More information about the Snort-sigs mailing list