[Snort-sigs] W32.Mumu.B.Worm Patterns (BETA)

Tinsley Paul Paul.Tinsley at ...1517...
Fri Jun 27 08:05:07 EDT 2003


Here are some rules I threw together to try and catch Mumu.B, if anybody
uses them and has false positives or real positives please shoot me a line.
I don't currently have the virus, thank goodness, so I can't really test the
rules.  They are based on information I could get from Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mumu.b.worm.html
#technicaldetails 

alert tcp any any -> 202.106.187.180 25 (msg:"Possible W32.Mumu.B.Worm
Information Disclosure via SMTP"; flow:established;
content:"sendmail2.student at ...1640..."; nocase; classtype:misc-activity;
sid:900022;
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mumu.b.wo
rm.html#technicaldetails; rev:1;)

alert tcp any any -> 61.151.248.56 80 (msg:"Possible W32.Mumu.B.Worm
Information Disclosure via Webmail"; flow:established;
content:"babyj at ...1641..."; nocase; classtype:misc-activity; sid:900023;
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mumu.b.wo
rm.html#technicaldetails; rev:1;)

Thanks,
Paul Tinsley
Senior Security Engineer
Security Assurance
2555 Park Plaza, DC-3N
Nashville, TN 37075
Office: (615) 344-6403
Pager: (615) 960-7766 or paul.tinsley at ...1250...
Cell:    (615) 973-5353
Email: paul.tinsley at ...1515...





More information about the Snort-sigs mailing list