[Snort-sigs] sid 729

Lora Fulton lfulton at ...437...
Tue Mar 12 19:29:10 EST 2002

Return-path: <lfulton at ...437...>
Received: from it.bu.edu ([])

Hi,  Hope this helps.  Please let me remain anonymous.  Thanks


# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content:
".scr"; nocase; sid:729; classtype:misc-activity; rev:3;)

Sid:	sid 729

Summary: Possible windows virus detected.

Impact: Depends on which virus (if any) is caught.

Detailed Information: Some PC viruses are circulating in screen savers.
Typically, a screen saver
has an .scr extension.

Attack Scenarios: Typically circulates via e-mail.

Ease of Attack: Simple

False Positives: Can catch legitimate screen savers sent in an e-mail message.
(Your mileage
may very.) Also not every .scr file is a screen saver.

False Negatives: Not sure.  Perhaps you can think of some?

Corrective Action: A quick comparison of the packet and your virus protection
manufacturer's virus database will determine if the alert is real.  Example:
Your snort log
shows an attachment "My Life.scr" .  Go to McAfee's Virus center and look at
their newly
discovered virus list at http://vil.nai.com/VIL/newly-discovered-viruses.asp.
There you
see an entry for a virus named w32/mylife at ...438...
If you don't see any matches in the newly discovered list search their virus
information library at
http://vil.nai.com/VIL/ . If you find a match, one of your systems is probably
You will need to follow the removal instructions from an AV vendor of your
choice and
install/update/configure AV software on the infected system

Contributors: lf

Additional References:


More information about the Snort-sigs mailing list