[Snort-sigs] Sigs DB info for SID 1290

David Wilburn bug at ...270...
Sat Jun 22 08:44:03 EDT 2002

See attached.  Here's hoping the online signature DB gets fixed soon.

-Dave Wilburn
-------------- next part --------------
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flow:to_client,established; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:7;)



The source web server may have sent a web page to the destination web client
with malicious mobile code.  This malicious mobile code instructs the
web client to download and execute a Nimda-infected .EML attachment.
The destination web client may have been duped into downloading a
Nimda-infected attachment from the source web server.

A Nimda-infected web server may have spread the Nimda worm to the web

Detailed Information:
One of the methods the Nimda worm uses to propagate is by passing malicious
mobile code from an infected web server to a web client.  The Nimda-infected
mobile code often uses the filename extension ".EML".

Attack Scenarios:
The fully automated Nimda worm that has already infected an IIS web server
through and infects the local web pages with malicious javascript.  When
a vulnerable web client attempts to load a web page from this server, the
javascript will cause the web client to download and execute the
Nimda-infected readme.eml file, causing the web client to become

Ease of Attack:
The Nimda worm is fully automated and spreads rapidly.

False Positives:
This signature may false alarm on web pages that describe the Nimda worm.

False Negatives:
The Nimda worm may spread via any file with the .EML or .NWS extension, not
just readme.eml.  This rule will not catch other .EML or .NWS files.

Corrective Action:
Examine the captured packet to determine whether the traffic was from a
Nimda-infected web server or just security web pages describing how the Nimda
worm works.
Examine both the web server and the web client to determine whether they
are Nimda-infected.



More information about the Snort-sigs mailing list