[Snort-sigs] Here are some Netsky Worm Sigs

Tom.Mclaughlin at ...1486... Tom.Mclaughlin at ...1486...
Wed Feb 25 13:11:01 EST 2004


Here are a bunch of sigs that I found useful for this new worm... 
http://vil.nai.com/vil/content/v_101048.htm

SID
1003301 = Catches hosts infected when they try to do a DNS lookup using 
the servers listed
1003303 = Netsky binary copied across smb
1003304 = Netsky binary copied across smb Win2k to Win2k
1003308 = Netsky base64 detatched from lotus notes server
1003309 = Netsky base64 crossing SMTP
1003310 = Netsky binary downloading from HTTP IMAP server

alert udp any any -> 
[145.253.2.171,151.189.13.35,193.141.40.42,193.189.244.205,193.193.144.12,193.193.158.10,194.25.2.129,194.25.2.130,194.25.2.131,194.25.2.132,194.25.2.133,194.25.2.134,195.185.185.195,195.20.224.234,212.185.252.136,212.185.252.73,212.185.253.70,212.44.160.8,212.7.128.162,212.7.128.165,213.191.74.19,217.5.97.137,62.155.255.16] 
53 (msg:"Netsky DNS lookup"; sid:1003301; rev:2;)
alert tcp any any -> any 139 (msg:"Netsky message.zip HEX port 139"; 
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 
05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 
00 00|"; sid:1003303;)
alert tcp any any -> any 445 (msg:"Netsky message.zip HEX port 445"; 
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 
05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 
00 00|"; sid:1003304;)
alert tcp any 1352 -> any any (msg:"Netsky base64 port 1352"; 
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003308;)
alert tcp any 25 -> any any (msg:"Netsky base64 port 25"; 
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003309;)
alert tcp any 80 -> any any (msg:"Netsky message.zip HEX port 80"; 
content:"|09 0D 00 0D 01 01 0D 0D 09 09 0D 44 0D 71 6D 00 6D 69 69 6D 6D 
61 61 6D 00 6D 69 53 53 53 4B|"; sid:1003310;)

-Tom
8-473-5286

.oooO
 (   )  Oooo. 
  \ (     (   ) 
   \_)    ) /
          (_/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040225/f94aef7c/attachment.html>


More information about the Snort-sigs mailing list