[Snort-sigs] W32/SWEN.A signature

pieter claassen pieter at ...1894...
Tue Sep 23 03:16:03 EDT 2003

Here is a signature for the swen.a worm. As listed, it will work with
IPS and IDS flex response and will reject traffic (send a TCP reset to
both sending and receiving MTA's). Note that we have seen some of the
executables that have a slightly different base64 encoding and therefore
will not match. Also, without TCP stream reassembly, you will still see
some of the stuff getting through, but it will reduce the flood.

reject tcp any any -> any 25 (msg:"SWEN.A Worm detected"; content:
"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; sid:3000001; rev:2;
classtype:misc-activity; resp: rst_all; reference:cve,CVE-2001-0154; )

Pieter Claassen
CounterSnipe Technologies

Highview House
Charles Square
RG12 1DF
United Kingdom

Tel: +44(0) 1344 390 530
Fax: +44(0) 1344 390 700
Mobile: +44 (0) 776 6656 924
email: pieter at ...1894...

More information about the Snort-sigs mailing list