[Snort-sigs] Kibuv.Worm signature anyone?

Nigel Houghton nigel at ...435...
Tue May 25 08:14:11 EDT 2004

On  0, Sumeet SINGH <susingh at ...2510...> allegedly wrote:
> hi
> does anyone have a signature for Kibuv?
> http://securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.worm.html

Kibuv uses multiple attack vectors to infect hosts, namely vulnerabilities
in LSASS, Messenger Service, RPC DCOM and WebDav.

Rules already exist to detect possible attempts to leverage attacks
against these services.

The worm may also try to exploit the UPnP vulnerability too, although it
tries on port 5000 not 1900. The Snort rules for UPnP specify port 1900,
you could use those and change the port for your local.rules file. I
believe the rule in question for Kibuv would be sid 1384, which detects
attempts to exploit UPnP using "NOTIFY".

If you suspect you might have an infected host, try connecting to the
services started by Kibuv on that host.

> regards
> -- sumeet
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list