[Snort-sigs] Update to signature

Tim Vienneau timothy.vienneau at ...2074...
Wed Dec 17 07:51:06 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  NETBIOS nimda RICHED20.DLL 

--
Sid: 1295 

--
Summary:  This rule indicates traffic containing the RICHED20.DLL file, 
which is the dll used by the Microsoft Office RichEdit control. That file name
is also used by a component of the Nimda worm.

--
Impact:   This signature most likely indicates spread of the Nimda virus on the network.

--
Detailed Information: Nimda spreads by file infection, mass emailer, file share, or IIS 
unicode exploit to attack unpatched systems. Please see reference 2 below for additional
information.

--
Affected Systems: Windows versions up to and including Windows 2000 without
the available patch, see reference 1 below.

--
Attack Scenarios: An unpatched server is connected to the internet and is infected or
an infected mail is opened.

--
Ease of Attack: Simple

--
False Positives: Application/User may access the Microsoft RichEdit control across the 
network causing a false positive.

--
False Negatives: Unknown

--
Corrective Action: Check the suspect host for signs of infection. Apply patches 
or upgrade as outlined in reference 1 below to prevent spread.

--
Contributors: Timothy Vienneau

-- 
Additional References:
On the NIMDA worm:
1. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp
2. http://www.f-secure.com/v-descs/nimda.shtml
On the Microsoft RichEdit Control: 
3. http://msdn.microsoft.com/library/en-us/vclib/html/vclrfafxinitrichedit2.asp

--
Timothy Vienneau
IS Manager 
eiStream ViewStar
http://www.viewstar.com

Mark Your Calendar!
eiStream's Global Customer Conference 2004 
Dates:  April 19-21, 2004
Hotel:  MGM Grand Resort
Location:  Las Vegas, Nevada
For all the latest conference information visit: 
http://www-11.eistream.com/GCC.htm








More information about the Snort-sigs mailing list