[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

Shane Williams shanew at ...94...
Mon May 19 14:28:02 EDT 2003

On Mon, 19 May 2003, Magnus Larsson wrote:

> Hi there!
> Are there a signature for the worm_palyh.a virus and the pe_ganda.a
> virus? Or does anyone know how to write it?

I'm working on one right now.  Here's a first go (I'm running 1.8.6,
so pardon the old style rule):

alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \
content:"2f6LwTPJiUgEAggMEMcAQEJBAMP9d///Vovx6AoAAC/2RCQIAXQHVgyEWlmLxl7CBAAH2X7fG4tG"; \
sid:9000018; classtype:misc-activity; rev:1;)

I'm running it on traffic dumps from today so I can compare it with
info from a virus scan on our mailserver, but so far it looks good,
with no false positives or negatives.

Please let me know how it works.

Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

More information about the Snort-sigs mailing list