[Snort-sigs] Sobig.E variant

Steven Alexander alexander.s at ...1565...
Thu Jun 26 11:27:07 EDT 2003


Kernel32.dll and user32.dll are libraries supplied with Windows.
GetModuleHandleA and MessageBoxA are normal Windows API calls.  This
rule would trigger on the transfer of any windows program that uses both
of those API calls.  The false positives would be way too high.

-steven  

> -----Original Message-----
> From: Esler, Joel Contractor [mailto:EslerJ at ...785...] 
> Sent: Thursday, June 26, 2003 10:51 AM
> To: 'snort-sigs at lists.sourceforge.net'
> Subject: [Snort-sigs] Sobig.E variant
> 
> 
> In case the rest of the world got hit as hard as other people 
> did with this virus..  Grrr..
> 
> This MAY work...  Editing???
> 
> alert tcp any any -> any any (msg:"W32.Sobig.E Possible 
> worm"; content:"kernel32.dll"; content:"user32.dll"; 
> content:"GetModuleHandleA"; content:"MessageBoxA"; rev:1;)
> 
> These things are referenced at the end of the virus.
> 
> j
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU 
> Hosting Partner. Refer Dedicated Servers. We Manage Them. You 
> Get 10% Monthly Commission! INetU Dedicated Managed Hosting 
> http://www.inetu.net/partner/index.php
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/s> nort-sigs
> 




More information about the Snort-sigs mailing list