[Snort-sigs] Sobig.E variant

Esler, Joel Contractor EslerJ at ...785...
Thu Jun 26 12:29:14 EDT 2003

I would agree with you, however, when looking for ALL these things in
conjunction, it would help, now, I do agree that someone who has a better
packet capture of the virus could help me with the depth and stuff, however,
this works.  And the only false positive that it detected, was your email.


-----Original Message-----
From: Steven Alexander [mailto:alexander.s at ...1565...] 
Sent: Thursday, June 26, 2003 2:27 PM
To: Esler, Joel Contractor; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Sobig.E variant

Kernel32.dll and user32.dll are libraries supplied with Windows.
GetModuleHandleA and MessageBoxA are normal Windows API calls.  This rule
would trigger on the transfer of any windows program that uses both of those
API calls.  The false positives would be way too high.


> -----Original Message-----
> From: Esler, Joel Contractor [mailto:EslerJ at ...785...]
> Sent: Thursday, June 26, 2003 10:51 AM
> To: 'snort-sigs at lists.sourceforge.net'
> Subject: [Snort-sigs] Sobig.E variant
> In case the rest of the world got hit as hard as other people
> did with this virus..  Grrr..
> This MAY work...  Editing???
> alert tcp any any -> any any (msg:"W32.Sobig.E Possible
> worm"; content:"kernel32.dll"; content:"user32.dll"; 
> content:"GetModuleHandleA"; content:"MessageBoxA"; rev:1;)
> These things are referenced at the end of the virus.
> j
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU
> Hosting Partner. Refer Dedicated Servers. We Manage Them. You 
> Get 10% Monthly Commission! INetU Dedicated Managed Hosting 
> http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/s> nort-sigs

More information about the Snort-sigs mailing list