[Snort-sigs] Here are some Netsky Worm Sigs

Tom.Mclaughlin at ...1486... Tom.Mclaughlin at ...1486...
Wed Feb 25 18:35:00 EST 2004


These are from samples of Netsky.C binary and base64  email attachments.

-Tom
8-473-5286

.oooO
 (   )  Oooo. 
  \ (     (   ) 
   \_)    ) /
          (_/





Chintan Gosalia <chintan_cmpe at ...144...>
02/25/2004 02:48 PM

 
        To:     Tom McLaughlin/CA/KAIPERM at ...1715..., snort-sigs at lists.sourceforge.net
        cc: 
        Subject:        Re: [Snort-sigs] Here are some Netsky Worm Sigs


Hi,
 
Thanks for these signatures. But I am wondering as from where did u find 
the pattern match for these signatures. Plz let me know. I think these are 
only for netsky.c. If not can you let me know whether they r for Netsky.b 
or netsky.c?
 
Thank you for any help in advance.
 
Chintan

Tom.Mclaughlin at ...1486... wrote:

Here are a bunch of sigs that I found useful for this new worm... http://vil.nai.com/vil/content/v_101048.htm 

SID 
1003301 = Catches hosts infected when they try to do a DNS lookup using 
the servers listed 
1003303 = Netsky binary copied across smb 
1003304 = Netsky binary copied across smb Win2k to Win2k 
1003308 = Netsky base64 detatched from lotus notes server 
1003309 = Netsky base64 crossing SMTP 
1003310 = Netsky binary downloading from HTTP IMAP server 

alert udp any any -> 
[145.253.2.171,151.189.13.35,193.141.40.42,193.189.244.205,193.193.144.12,193.193.158.10,194.25.2.129,194.25.2.130,194.25.2.131,194.25.2.132,194.25.2.133,194.25.2.134,195.185.185.195,195.20.224.234,212.185.252.136,212.185.252.73,212.185.253.70,212.44.160.8,212.7.128.162,212.7.128.165,213.191.74.19,217.5.97.137,62.155.255.16] 
53 (msg:"Netsky DNS lookup"; sid:1003301; rev:2;) 
alert tcp any any -> any 139 (msg:"Netsky message.zip HEX port 139"; 
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 
05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 
00 00|"; sid:1003303;) 
alert tcp any any -> any 445 (msg:"Netsky message.zip HEX port 445"; 
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 
05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 
00 00|"; sid:1003304;) 
alert! tcp any 1352 -> any any (msg:"Netsky base64 port 1352"; 
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003308;) 
alert tcp any 25 -> any any (msg:"Netsky base64 port 25"; 
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003309;) 
alert tcp any 80 -> any any (msg:"Netsky message.zip HEX port 80"; 
content:"|09 0D 00 0D 01 01 0D 0D 09 09 0D 44 0D 71 6D 00 6D 69 69 6D 6D 
61 61 6D 00 6D 69 53 53 53 4B|"; sid:1003310;) 

-Tom
8-473-5286

.oooO
(   )  Oooo. 
 \ (     (   ) 
  \_)    ) /
         (_/
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040225/d8d03169/attachment.html>


More information about the Snort-sigs mailing list