[Snort-sigs] Does anyone have a working set of rules for the Fizzer Worm

Tinsley Paul Paul.Tinsley at ...1517...
Wed May 14 15:39:04 EDT 2003


I pulled these rules off of a virus vendor site I don't remember which one,
sorry, or I would give them credit.  One thing you may want to do is change
the sid numbers, I use 900000s for any local rules I have:

alert tcp any any -> any any (msg:"W32.HLLW.Fizzer at ...110...";
content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|(|00|R|00|)|00| |00|
W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|(|00|R|00|)|00| |00|
S|00|y|00|s|00|t|00|e|00|m|00| |00|I|00|n|00|i|00|t"; nocase;
content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00|e|00|x|00|e"; nocase;
classtype:misc-activity; sid:900010; rev:1;)

alert udp any any -> any any (msg:"W32.HLLW.Fizzer at ...110...";
content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|(|00|R|00|)|00| |00|
W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|(|00|R|00|)|00| |00|
S|00|y|00|s|00|t|00|e|00|m|00| |00|I|00|n|00|i|00|t"; nocase;
content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00|e|00|x|00|e"; nocase;
classtype:misc-activity; sid:900011; rev:1;)

alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer at ...110...";
content:"AHMAZQByAHYAYwAuAGUAeABl"; classtype:misc-activity; sid:900012;
rev:1;)

alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer at ...110...";
content:"AGwAcwBlAHIAdgBjAC4AZQB4"; classtype:misc-activity; sid:900013;
rev:1;)

alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer at ...110...";
content:"AbABzAGUAcgB2AGMALgBlAHg"; classtype:misc-activity; sid:900014;
rev:1;)

I have only had these rules up and running for about 30 minutes so I can't
speak to their accuracy, I wouldn't mind knowning if they help/hinder
though.

P.S. - I think the vendor was Symantec.

-----Original Message-----
From: Marty.Bostick at ...495... [mailto:Marty.Bostick at ...495...]
Sent: Wednesday, May 14, 2003 3:27 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Does anyone have a working set of rules for the
Fizzer Worm






I need a working set of rules for the "Fizzer Worm"

Thanks



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list