[Snort-sigs] MyDoom.F Signature

David A. Koran webjedi at ...2282...
Fri Feb 27 06:28:02 EST 2004

Well, if it wasn't for Sourceforge reverse testing (for a postmaster 
address via the RFC standard) my SMTP engine (I have VRFY and EPXN off 
on my install of Sendmail), y'all would have had this sig yesterday.

Anyhow, without further ado, a sig that hasn't had any false positives 
on a 9000+ node network

### MyDoom.F Payload [e-mail] (02-24-2004)
alert tcp any any -> any 25 (msg:"VIRUS Mydoom.F Attachment"; content: 
"UEsDBAoAAAAAA"; classtype:misc-activity; sid:123456789; rev:1;)

More information about the Snort-sigs mailing list