[Snort-sigs] Nail worm

Ian Macdonald secsnortsigs at ...644...
Wed Aug 14 14:12:03 EDT 2002


Just got a few false positives from the nail worm

from the http://vil.mcafee.com/dispVirus.asp?virus_k=10109  the subject line
can be made up of
'Good Times'
'New Developments'
'WWIII !'
'Market share tipoff...'

alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4D
61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";
reference:MCAFEE,10109; sid:741;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:
"|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|"; reference:MCAFEE,10109; sid:742;
classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4E
65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|"; reference:MCAFEE,10109;
sid:743;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|47
6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109; sid:744;
classtype:misc-activity; rev:3;)

so to reduce false positives we should probably do

alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (Market share
tipoff)"; content:"Subject: |4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70
6F 66 66|"; reference:MCAFEE,10109; sid:741;  classtype:misc-activity;
rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (name
="WWII!)"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";
reference:MCAFEE,10109; sid:742;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (New
Developments)"; content:"Subject: |4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E
74 73|"; reference:MCAFEE,10109; sid:743;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (Good Times)";
content:"Subject: |47 6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109;
sid:744;  classtype:misc-activity; rev:3;)

I think there might be a typo in sid:742 I think the content should be
"Subject: WWIII !"
I do not original packets for these sigs, I am just working from the
information on the MCAFEE web site in the hope of reducing false positives

Ian





More information about the Snort-sigs mailing list