[Snort-sigs] Update to signature

Nigel Houghton nigel at ...435...
Wed Dec 17 08:16:01 EST 2003


Thank you for your submission. It will be reviewed shortly and added to
the Snort document database.

Around Monday Tim Vienneau said:

TV :# This is a template for submitting snort signature descriptions to
TV :# the snort.org website
TV :#
TV :# Ensure that your descriptions are your own
TV :# and not the work of others.  References in the rules themselves
TV :# should be used for linking to other's work.
TV :#
TV :# If you are unsure of some part of a rule, use that as a commentary
TV :# and someone else perhaps will be able to fix it.
TV :#
TV :# $Id$
TV :#
TV :#
TV :
TV :Rule:  NETBIOS nimda RICHED20.DLL
TV :
TV :--
TV :Sid: 1295
TV :
TV :--
TV :Summary:  This rule indicates traffic containing the RICHED20.DLL file,
TV :which is the dll used by the Microsoft Office RichEdit control. That file name
TV :is also used by a component of the Nimda worm.
TV :
TV :--
TV :Impact:   This signature most likely indicates spread of the Nimda virus on the network.
TV :
TV :--
TV :Detailed Information: Nimda spreads by file infection, mass emailer, file share, or IIS
TV :unicode exploit to attack unpatched systems. Please see reference 2 below for additional
TV :information.
TV :
TV :--
TV :Affected Systems: Windows versions up to and including Windows 2000 without
TV :the available patch, see reference 1 below.
TV :
TV :--
TV :Attack Scenarios: An unpatched server is connected to the internet and is infected or
TV :an infected mail is opened.
TV :
TV :--
TV :Ease of Attack: Simple
TV :
TV :--
TV :False Positives: Application/User may access the Microsoft RichEdit control across the
TV :network causing a false positive.
TV :
TV :--
TV :False Negatives: Unknown
TV :
TV :--
TV :Corrective Action: Check the suspect host for signs of infection. Apply patches
TV :or upgrade as outlined in reference 1 below to prevent spread.
TV :
TV :--
TV :Contributors: Timothy Vienneau
TV :
TV :

-----------------------------------------------------------------------
Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."




More information about the Snort-sigs mailing list