[Snort-sigs] SID 720
alexander.s at ...1565...
Mon Jun 9 14:53:04 EDT 2003
Virus - SnowWhite Trojan Incoming
An email message was received that may contain the SnowWhite Worm.
Possible system compromise.
This signature looks for an email message with the unique mispelling
"Suddlently". This mispelling is part of the content of the Snow White
Worm. The worm is also called Hybris. It replaces wsock32.dll on the
infected system and monitors the internet connection for other email
addresses that it can send itself to.
The worm is sent by hosts that are already infected.
Ease of Attack:
Use anti-virus software to remove the worm. It may be necessary to
reboot into safe-mode.
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs