[Snort-sigs] Evaman Worm Sig

Matthew Jonkman matt at ...2436...
Mon Jul 5 21:55:08 EDT 2004


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: BLEEDING-EDGE VIRUS 
Possible Evaman Worm Outbound"; pcre: 
"m/(body|message|email|returned|text|docum
ent)\.(scr|txt\.scr|html\.scr|outlook\.scrtxt\.exe)/"; 
reference:url,secunia.com/virus_information/10429/evaman; sid:2000343; 
rev:1;)

Posted by sooshie. Thanks

Don't know about accuracy yet as I haven't an outbreak here to check 
against. But it doesn't break snort. :)

If you get any hots on it please let us know. This is posted to bleeding 
as well.

Matt






More information about the Snort-sigs mailing list