[Snort-sigs] snort rule question: welchia worm

Tony Blackmon tblackmon at ...1941...
Tue Oct 7 06:15:08 EDT 2003


welchia is a worm that hit the internet to try and fix machines that
could be targeted by blaster. it disables blaster, removes it, and
patches the machine for RPC exploits. now...it uses the same method of
infection as blaster as well...

last week i lost a hard drive. i went to the stock room and grabbed a
new one. before i had time to get an anti-virus package on my machine,
or do SP1 and get those 2 RPC patches...i had the welchia worm. a
reinstall got me the same results. after determining what welchia was
going to do, i decided to let it be for the time being, get my patches
done, and just run with the machines year set to 2004 for a bit until it
removed itself. this was a virtual machine running windows xp pro on a
redhat 9 box. now...after all that was done, i installed snort, actually
demarc...i really dig its web interface. anyways, ive gotten no hits on
the following two rules i took from the snort rules database in over 2
days. i dont get it...i was getting infected in a matter of minutes, but
these rules that detect blaster dont see welchia....

anybody have any clues? external_net is defined as ANY, and home_net are
my local machines lan ip. thanks!

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
ISystemActivator bind attempt"; flow:to_server,established;
content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1;
within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00
C0 00 00 00 00 00 00 46|"; distance:29; within:16;
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192;
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
ISystemActivator bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
nocase; distance:5; within:12; content:"|05|"; distance:0; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|";
distance:29; within:16; reference:cve,CAN-2003-0352;
classtype:attempted-admin; sid:2193; rev:1;)







More information about the Snort-sigs mailing list