[Snort-sigs] Sobig.E variant

Esler, Joel Contractor EslerJ at ...785...
Thu Jun 26 11:05:06 EDT 2003

In case the rest of the world got hit as hard as other people did with this
virus..  Grrr..

This MAY work...  Editing???

alert tcp any any -> any any (msg:"W32.Sobig.E Possible worm";
content:"kernel32.dll"; content:"user32.dll"; content:"GetModuleHandleA";
content:"MessageBoxA"; rev:1;)

These things are referenced at the end of the virus.


