[Snort-sigs] Rule documentation for SID 5323

A. J. Wright ajw at ...3223...
Tue May 16 04:19:22 EDT 2006

I had a couple of false positives regarding this rule, which I found  

According to "http://www.snort.org/snort-db/help.html" I'm supposed  
to send the information to this list.


A. J. Wright -- <ajw at ...3223...>
Senior Security Analyst, Information Security Office
University of Tennessee, Knoxville


# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule: VIRUS Possible Sober virus set three NTP time check attempt

Sid: 1:5323

Summary: This rule fires when TCP traffic is initiated from $HOME_NET  
to a list of NTP servers known to be used by the Sober virus series.

Impact:  This event suggests that the source system is infected with  
a version of the Sober virus.

Detailed Information: Several versions of the Sober e-mail worm  
monitor a fixed list of NTP servers to determine when to download and  
execute a file from a controlling web server.

This rule fires when Snort sees traffic on port 37/tcp (the port  
commonly associated with the "time" protocol) to one of the following  
IP addresses:

As of May 2006, these resolve to the following names: domain name pointer ns1.usg.edu. is an alias for 2.0- 
2.0- domain name pointer  
garfield.massayonet.com.br. domain name pointer verge.greyware.com. domain name pointer time1.chu.nrc.ca. domain name pointer  
hendrek.colo.frell.eu.org. domain name pointer valinor.theunixman.com. domain name pointer nist1.symmetricom.com.

Affected Systems: This email worm affects systems running the  
Microsoft Windows family of operating systems.

Attack Scenarios: This virus is spread by self-generated email  
messages containing a UPX-packed Visual Basic Script.  This is  
primarily a social engineering attack as the software must be  
executed by the user.

Ease of Attack: Simple

False Positives: This alert is triggered if any system contacts the  
aforementioned systems on 37/tcp.

False Negatives: Some Sober viruses may contact a different set of  
NTP servers or no NTP server at all.

Corrective Action: Install up-to-date virus scanning software.  Use  
that to remove the malicious software from the infected system.

Contributors: Original rule writer unknown.  This rule was added in  
the December 30, 2005 rule update.
Documented by A. J. Wright <ajw at ...3223...> of the University of  
Tennessee Information Security Office.

Additional References:

In these references, * represents the virus version letter.  Due to  
the number of Sober versions, this is often A-Z or sometimes A-ZZ or  

F-Secure: Sober.*
Symantec: W32.Sober.*@mm
McAfee: W32/Sober.*@mm
Google: sober ntp
Wikipedia: Sober (computer worm)

More information about the Snort-sigs mailing list