[Snort-sigs] Update to signature
timothy.vienneau at ...2074...
Wed Dec 17 07:51:06 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Rule: NETBIOS nimda RICHED20.DLL
Summary: This rule indicates traffic containing the RICHED20.DLL file,
which is the dll used by the Microsoft Office RichEdit control. That file name
is also used by a component of the Nimda worm.
Impact: This signature most likely indicates spread of the Nimda virus on the network.
Detailed Information: Nimda spreads by file infection, mass emailer, file share, or IIS
unicode exploit to attack unpatched systems. Please see reference 2 below for additional
Affected Systems: Windows versions up to and including Windows 2000 without
the available patch, see reference 1 below.
Attack Scenarios: An unpatched server is connected to the internet and is infected or
an infected mail is opened.
Ease of Attack: Simple
False Positives: Application/User may access the Microsoft RichEdit control across the
network causing a false positive.
False Negatives: Unknown
Corrective Action: Check the suspect host for signs of infection. Apply patches
or upgrade as outlined in reference 1 below to prevent spread.
Contributors: Timothy Vienneau
On the NIMDA worm:
On the Microsoft RichEdit Control:
Mark Your Calendar!
eiStream's Global Customer Conference 2004
Dates: April 19-21, 2004
Hotel: MGM Grand Resort
Location: Las Vegas, Nevada
For all the latest conference information visit:
More information about the Snort-sigs