[Snort-sigs] sid 729

Lora Fulton lfulton at ...437...
Tue Mar 12 19:29:10 EST 2002


Return-path: <lfulton at ...437...>
Received: from it.bu.edu ([128.197.20.40])

Hi,  Hope this helps.  Please let me remain anonymous.  Thanks

--------------------------------------------------------------------------

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content:
".scr"; nocase; sid:729; classtype:misc-activity; rev:3;)

--
Sid:	sid 729

--
Summary: Possible windows virus detected.

--
Impact: Depends on which virus (if any) is caught.

--
Detailed Information: Some PC viruses are circulating in screen savers.
Typically, a screen saver
has an .scr extension.

--
Attack Scenarios: Typically circulates via e-mail.

--
Ease of Attack: Simple

--
False Positives: Can catch legitimate screen savers sent in an e-mail message.
(Your mileage
may very.) Also not every .scr file is a screen saver.

--
False Negatives: Not sure.  Perhaps you can think of some?

--
Corrective Action: A quick comparison of the packet and your virus protection
software
manufacturer's virus database will determine if the alert is real.  Example:
Your snort log
shows an attachment "My Life.scr" .  Go to McAfee's Virus center and look at
their newly
discovered virus list at http://vil.nai.com/VIL/newly-discovered-viruses.asp.
There you
see an entry for a virus named w32/mylife at ...438...
(http://vil.nai.com/vil/content/v_99381.htm)
If you don't see any matches in the newly discovered list search their virus
information library at
http://vil.nai.com/VIL/ . If you find a match, one of your systems is probably
infected.
You will need to follow the removal instructions from an AV vendor of your
choice and
install/update/configure AV software on the infected system

--
Contributors: lf

--
Additional References:

http://whatis.techtarget.com/fileFormatS/0,289963,sid9,00.html





More information about the Snort-sigs mailing list