[Snort-sigs] MyDoom.F Signature
David A. Koran
webjedi at ...2282...
Fri Feb 27 06:28:02 EST 2004
Well, if it wasn't for Sourceforge reverse testing (for a postmaster
address via the RFC standard) my SMTP engine (I have VRFY and EPXN off
on my install of Sendmail), y'all would have had this sig yesterday.
Anyhow, without further ado, a sig that hasn't had any false positives
on a 9000+ node network
### MyDoom.F Payload [e-mail] (02-24-2004)
alert tcp any any -> any 25 (msg:"VIRUS Mydoom.F Attachment"; content:
"UEsDBAoAAAAAA"; classtype:misc-activity; sid:123456789; rev:1;)
More information about the Snort-sigs