[Snort-sigs] Kibuv.Worm signature anyone?

Tony Bunce tonyb at ...2512...
Tue May 25 11:12:12 EDT 2004

We use snort as part of an automated system to deactive infected user
accounts so we need to tell the difference between Blaster, Sasser, and

Is there anyway to do this?

Thank you,
Tony Bunce, CCNA, Network+
Systems Administration
GO Concepts, Inc.
On GO yet?
Thank you for choosing GO Concepts as your Internet Services Partner!
You truly are what makes us GO!  Your input is important to us, so if we
have been helpful or if you feel we could have done a better job, please
let us know by emailing your praise, complaint, or suggestions to
directors at ...2513...

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Nigel
Sent: Tuesday, May 25, 2004 11:15 AM
To: Sumeet SINGH
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Kibuv.Worm signature anyone?

On  0, Sumeet SINGH <susingh at ...2510...> allegedly wrote:
> hi
> does anyone have a signature for Kibuv?

Kibuv uses multiple attack vectors to infect hosts, namely
in LSASS, Messenger Service, RPC DCOM and WebDav.

Rules already exist to detect possible attempts to leverage attacks
against these services.

The worm may also try to exploit the UPnP vulnerability too, although it
tries on port 5000 not 1900. The Snort rules for UPnP specify port 1900,
you could use those and change the port for your local.rules file. I
believe the rule in question for Kibuv would be sid 1384, which detects
attempts to exploit UPnP using "NOTIFY".

If you suspect you might have an infected host, try connecting to the
services started by Kibuv on that host.

> regards
> -- sumeet
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list