[Snort-sigs] Here are some Netsky Worm Sigs

Chintan Gosalia chintan_cmpe at ...144...
Fri Feb 27 16:42:11 EST 2004


Hi,
 
A quick question. Why here the signature 308,309 and 310 have source port number defined??? This may generate a lot of false positives?? Can u let me know why u have kept them in source port numbers???
 
Thanks.
Chintan

Tom.Mclaughlin at ...1486... wrote:

These are from samples of Netsky.C binary and base64  email attachments. 

-Tom
8-473-5286

.oooO
(   )  Oooo. 
 \ (     (   )    
  \_)    ) /
         (_/



Chintan Gosalia <chintan_cmpe at ...144...> 
02/25/2004 02:48 PM 

        
        To:        Tom McLaughlin/CA/KAIPERM at ...1715..., snort-sigs at lists.sourceforge.net 
        cc:         
        Subject:        Re: [Snort-sigs] Here are some Netsky Worm Sigs


Hi, 
  
Thanks for these signatures. But I am wondering as from where did u find the pattern match for these signatures. Plz let me know. I think these are only for netsky.c. If not can you let me know whether they r for Netsky.b or netsky.c? 
  
Thank you for any help in advance. 
  
Chintan

Tom.Mclaughlin at ...1486... wrote: 

Here are a bunch of sigs that I found useful for this new worm... http://vil.nai.com/vil/content/v_101048.htm 

SID 
1003301 = Catches hosts infected when they try to do a DNS lookup using the servers listed 
1003303 = Netsky binary copied across smb 
1003304 = Netsky binary copied across smb Win2k to Win2k 
1003308 = Netsky base64 detatched from lotus notes server 
1003309 = Netsky base64 crossing SMTP 
1003310 = Netsky binary downloading from HTTP IMAP server 

alert udp any any -> [145.253.2.171,151.189.13.35,193.141.40.42,193.189.244.205,193.193.144.12,193.193.158.10,194.25.2.129,194.25.2.130,194.25.2.131,194.25.2.132,194.25.2.133,194.25.2.134,195.185.185.195,195.20.224.234,212.185.252.136,212.185.252.73,212.185.253.70,212.44.160.8,212.7.128.162,212.7.128.165,213.191.74.19,217.5.97.137,62.155.255.16] 53 (msg:"Netsky DNS lookup"; sid:1003301; rev:2;) 
alert tcp any any -> any 139 (msg:"Netsky message.zip HEX port 139"; content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; sid:1003303;) 
alert tcp any any -> any 445 (msg:"Netsky message.zip HEX port 445"; content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; sid:1003304;) 
alert! tcp any 1352 -> any any (msg:"Netsky base64 port 1352"; content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003308;) 
alert tcp any 25 -> any any (msg:"Netsky base64 port 25"; content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003309;) 
alert tcp any 80 -> any any (msg:"Netsky message.zip HEX port 80"; content:"|09 0D 00 0D 01 01 0D 0D 09 09 0D 44 0D 71 6D 00 6D 69 69 6D 6D 61 61 6D 00 6D 69 53 53 53 4B|"; sid:1003310;) 

-Tom
8-473-5286

.oooO
(   )  Oooo. 
\ (     (   )    
 \_)    ) /
        (_/ 

---------------------------------
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want. 




---------------------------------
Do you Yahoo!?
Get better spam protection with Yahoo! Mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040227/7bd85951/attachment.html>


More information about the Snort-sigs mailing list