[Snort-sigs] SID 720

Steven Alexander alexander.s at ...1565...
Mon Jun 9 14:53:04 EDT 2003


Rule:  
Virus - SnowWhite Trojan Incoming
--
Sid:

720

--
Summary:
An email message was received that may contain the SnowWhite Worm.

--
Impact:

Possible system compromise.

--
Detailed Information:

This signature looks for an email message with the unique mispelling
"Suddlently".  This mispelling is part of the content of the Snow White
Worm.  The worm is also called Hybris.  It replaces wsock32.dll on the
infected system and monitors the internet connection for other email
addresses that it can send itself to.

--
Affected Systems:

Microsoft Windows
--
Attack Scenarios:

The worm is sent by hosts that are already infected.  

--
Ease of Attack:
Very Simple

--
False Positives:

Possible.

--
False Negatives:

None known.
--
Corrective Action:

Use anti-virus software to remove the worm.  It may be necessary to
reboot into safe-mode.

--
Contributors:
Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:

http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html
http://www.giac.org/practical/gsec/Aaron_King_GSEC.pdf
http://www.f-secure.com/v-descs/hybris.shtml








More information about the Snort-sigs mailing list