[Snort-sigs] W32.Beagle.J Worm Signature?

Hugo van der Kooij hvdkooij at ...481...
Wed Mar 3 13:47:00 EST 2004


On Wed, 3 Mar 2004 Mark.Schutzmann at ...2233... wrote:

> Has anyone developed or seen a signature for the W32.Beagle.J? I know that
> it is not best-practices to monitor for viruses through the SMTP gateway
> with Snort, but I am having a problem detecting this one. The issue is that
> the well-known AV Vendor that I am using will not scan a password-protected
> zip file, which is usually the attachment for this worm's e-mail. Any help
> would be appreciated.

Name a scanner that DOES scan a password protected zip file. I have seen
quite a bunch and you either block these files or ignore them. Untill now
I was biased to let them pass. But things start to go downhill rapidly
these days.

Unfortunatly I have not seen enough examples to attempt any pattern
recognition.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.




More information about the Snort-sigs mailing list