[Snort-sigs] Erkez Virus Sig

Tony Bunce tonyb at ...2512...
Tue Jun 15 09:10:06 EDT 2004


We are seeing a lot of Erkez virus traffic so I wrote up a rule to
detect the infected email.  If your mail servers are in HOME_NET you
will prob a lot of alerts coming from them.

 

alert tcp $HOME_NET any -> any 25 (msg:"Probable Zafi Virus in SMTP";
content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG";\

 content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+";
distance:6;sid:9000020; classtype:misc-activity; rev:1;)

 

Thank you,
Tony Bunce, CCNA, Network+

Systems Administration

GO Concepts, Inc.
www.go-concepts.com <http://www.go-concepts.com/> 
www.sitesbygo.com <http://www.sitesbygo.com/> 
On GO yet?
513-934-2800
1-888-ON-GO-YET
 
==========================
Thank you for choosing GO Concepts as your Internet Services Partner!
You truly are what makes us GO!  Your input is important to us, so if we
have been helpful or if you feel we could have done a better job, please
let us know by emailing your praise, complaint, or suggestions to
directors at ...2512... <mailto:directors at ...2512...> .

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040615/a6cb0592/attachment.html>


More information about the Snort-sigs mailing list