[Snort-sigs] Klez worm rule?

Shane Williams shanew at ...94...
Tue Apr 30 13:58:02 EDT 2002


On Tue, 30 Apr 2002, Kreimendahl, Chad J wrote:

>> tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Virus Incoming";
>> flow:to_server; flags:A+; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9";
>> classtype:misc-activity; sid:1000103; rev:1;) 

> From: bthaler at ...572... [mailto:bthaler at ...572...] 
> Does anyone have a good rule for the Klez worm and it's variants?  I could
> make one based on the subject of the infected email, but it would take
> possibly 20 rules or more to catch all of the variations.  This method would
> also trigger a large number of false positives, no doubt.

Here's my rule:
alert tcp any any -> any 25 (msg:"Virus - W32.KLEZ in SMTP";
content: "AAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4"; sid:10010;
classtype:misc-activity; rev:2;)

Obviously I'm interested in watching both inbound and outbound SMTP
traffic for klez.  I should probably break those into two rules, but I
just wanted to check my signature first.  The string I catch on is
about 0x80 bytes down in the attachment.  Chad's looks to be about
0x40 bytes into the attachment.

There was another rule posted last week that caught on the opening of
the attachment, but I haven't really been able to assess whether one
is more effective or not.

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |                               
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

Version: 2.6.2


More information about the Snort-sigs mailing list