[Snort-sigs] Kibuv.Worm signature anyone?

Martin Overton martin at ...1997...
Wed May 26 01:17:00 EDT 2004


Hi,

Someone wanted some sigs for Kibuv aka StdBot, Here are the ones I created 
to detect the currently known variants of this worm/bot.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Stdbot.worm.a[NAI] -
 SMB"; content: "|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 
31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; classtype: misc-activity;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Stdbot.worm.b [NAI] 
- SMB"; content: "|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 
61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; classtype: misc-activity;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Stdbot.worm.c [NAI] 
- SMB"; content: "|FE AE E4 B2 21 12 FC FA CB 0E B4 49 FF 05 0B 39 2B 2C 
61 C7 67 58 6D 89 D9 C2 DA 22 BB E1 FB B0|"; classtype: misc-activity;)

Hope this helps?

Regards,
Martin Overton
-- 
Anti-Malware Specialist - WildList Reporter - AVIEN Charter member
Electronic Ephemera - Hoax FAQ http://cluestick.me.uk
Arachnid and Snake Wrangler - http://arachnophiliac.co.uk/burrow/home.htm
PGP key - http://arachnid.homeip.net/papers/other/MartinOverton.asc
QFTD='In these matters the only certainty is that nothing is certain.' - 
Pliny the Elder







More information about the Snort-sigs mailing list