[Snort-sigs] Atak Rule

Matthew Jonkman matt at ...2436...
Wed Jul 14 21:24:02 EDT 2004


Michael Sconzo sent us this rule, looks to be quite accurate.

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only"; 
pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; 
content:".zip"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak
@mm.html; sid:2000494; rev:1;)

It's in the bleeding set. Thanks Michael

Matt





More information about the Snort-sigs mailing list