[Snort-sigs] Sobig.E variant

Shane Williams shanew at ...94...
Thu Jun 26 13:45:04 EDT 2003


Here's a rule to catch the still zipped file in email.

alert tcp any any -> any 25 (msg:"Possible Sobig.e virus in SMTP";\
content:"2kNqIFf0Iss6559hVHjaK4pSHA3hR+JsFH4AOllszjiSH9aO43S2nDKHvs6z8SbJ2AcIwQl44oNC";\
sid:9000019; classtype:misc-activity; rev:1;)

So far I'm seeing no false positives or negatives.

On Thu, 26 Jun 2003, Esler, Joel  Contractor wrote:

> I would agree with you, however, when looking for ALL these things in
> conjunction, it would help, now, I do agree that someone who has a better
> packet capture of the virus could help me with the depth and stuff, however,
> this works.  And the only false positive that it detected, was your email.
> 
> Joel
> 
> -----Original Message-----
> From: Steven Alexander [mailto:alexander.s at ...1565...] 
> Sent: Thursday, June 26, 2003 2:27 PM
> To: Esler, Joel Contractor; snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] Sobig.E variant
> 
> 
> Kernel32.dll and user32.dll are libraries supplied with Windows.
> GetModuleHandleA and MessageBoxA are normal Windows API calls.  This rule
> would trigger on the transfer of any windows program that uses both of those
> API calls.  The false positives would be way too high.
> 
> -steven  
> 
> > -----Original Message-----
> > From: Esler, Joel Contractor [mailto:EslerJ at ...785...]
> > Sent: Thursday, June 26, 2003 10:51 AM
> > To: 'snort-sigs at lists.sourceforge.net'
> > Subject: [Snort-sigs] Sobig.E variant
> > 
> > 
> > In case the rest of the world got hit as hard as other people
> > did with this virus..  Grrr..
> > 
> > This MAY work...  Editing???
> > 
> > alert tcp any any -> any any (msg:"W32.Sobig.E Possible
> > worm"; content:"kernel32.dll"; content:"user32.dll"; 
> > content:"GetModuleHandleA"; content:"MessageBoxA"; rev:1;)
> > 
> > These things are referenced at the end of the virus.
> > 
> > j
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: INetU
> > Attention Web Developers & Consultants: Become An INetU
> > Hosting Partner. Refer Dedicated Servers. We Manage Them. You 
> > Get 10% Monthly Commission! INetU Dedicated Managed Hosting 
> > http://www.inetu.net/partner/index.php
> > 
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/s> nort-sigs
> > 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew






More information about the Snort-sigs mailing list