[Snort-sigs] Sigs DB info for SID 1290
bug at ...270...
Sat Jun 22 08:44:03 EDT 2002
See attached. Here's hoping the online signature DB gets fixed soon.
-------------- next part --------------
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flow:to_client,established; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:7;)
The source web server may have sent a web page to the destination web client
with malicious mobile code. This malicious mobile code instructs the
web client to download and execute a Nimda-infected .EML attachment.
The destination web client may have been duped into downloading a
Nimda-infected attachment from the source web server.
A Nimda-infected web server may have spread the Nimda worm to the web
One of the methods the Nimda worm uses to propagate is by passing malicious
mobile code from an infected web server to a web client. The Nimda-infected
mobile code often uses the filename extension ".EML".
The fully automated Nimda worm that has already infected an IIS web server
a vulnerable web client attempts to load a web page from this server, the
Nimda-infected readme.eml file, causing the web client to become
Ease of Attack:
The Nimda worm is fully automated and spreads rapidly.
This signature may false alarm on web pages that describe the Nimda worm.
The Nimda worm may spread via any file with the .EML or .NWS extension, not
just readme.eml. This rule will not catch other .EML or .NWS files.
Examine the captured packet to determine whether the traffic was from a
Nimda-infected web server or just security web pages describing how the Nimda
Examine both the web server and the web client to determine whether they
More information about the Snort-sigs