[Snort-sigs] Update to signature

Tim Vienneau timothy.vienneau at ...2074...
Wed Dec 17 07:51:06 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  NETBIOS nimda RICHED20.DLL 

Sid: 1295 

Summary:  This rule indicates traffic containing the RICHED20.DLL file, 
which is the dll used by the Microsoft Office RichEdit control. That file name
is also used by a component of the Nimda worm.

Impact:   This signature most likely indicates spread of the Nimda virus on the network.

Detailed Information: Nimda spreads by file infection, mass emailer, file share, or IIS 
unicode exploit to attack unpatched systems. Please see reference 2 below for additional

Affected Systems: Windows versions up to and including Windows 2000 without
the available patch, see reference 1 below.

Attack Scenarios: An unpatched server is connected to the internet and is infected or
an infected mail is opened.

Ease of Attack: Simple

False Positives: Application/User may access the Microsoft RichEdit control across the 
network causing a false positive.

False Negatives: Unknown

Corrective Action: Check the suspect host for signs of infection. Apply patches 
or upgrade as outlined in reference 1 below to prevent spread.

Contributors: Timothy Vienneau

Additional References:
On the NIMDA worm:
1. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp
2. http://www.f-secure.com/v-descs/nimda.shtml
On the Microsoft RichEdit Control: 
3. http://msdn.microsoft.com/library/en-us/vclib/html/vclrfafxinitrichedit2.asp

Timothy Vienneau
IS Manager 
eiStream ViewStar

Mark Your Calendar!
eiStream's Global Customer Conference 2004 
Dates:  April 19-21, 2004
Hotel:  MGM Grand Resort
Location:  Las Vegas, Nevada
For all the latest conference information visit: 

More information about the Snort-sigs mailing list