[Snort-users] W32.Badtrans.B at ...4138...

John Sage jsage at ...2022...
Tue Nov 27 08:41:07 EST 2001


No:  that's only going to do the *.scr variation, isn't is..

erp..

"The second extension that is appended to the file name is one of the 
following: .pif .scr..."


This from:

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@...3071...


- John

John Sage wrote:

> Brad:
> 
> This seems to be doing it for me:
> 
> alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm";
>  content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)
> 
> This is in virus.rules in the 1.8.2 build 86 *nix release..
> 
> 
> Results:
> 
> [**] Virus - Possible scr Worm [**]
> 11/25-09:24:33.110806 216.21.229.220:110 -> 12.82.129.39:63728
> TCP TTL:50 TOS:0x0 ID:60154 IpLen:20 DgmLen:1014 DF
> ***AP*** Seq: 0x735E1172  Ack: 0xE8893930  Win: 0x7D78  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 50653281 30268773
> 2D 2D 3D 3D 3D 3D 5F 41 42 43 30 39 38 37 36 35  --====_ABC098765
> 34 33 32 31 44 45 46 5F 3D 3D 3D 3D 2D 2D 0D 0A  4321DEF_====--..
> 0D 0A 2D 2D 3D 3D 3D 3D 5F 41 42 43 31 32 33 34  ..--====_ABC1234
> 35 36 37 38 39 30 44 45 46 5F 3D 3D 3D 3D 0D 0A  567890DEF_====..
> 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 75  Content-Type: au
> 64 69 6F 2F 78 2D 77 61 76 3B 0D 0A 09 20 6E 61  dio/x-wav;... na
> 6D 65 3D 22 6E 65 77 73 5F 64 6F 63 2E 44 4F 43  me="news_doc.DOC
> 2E 73 63 72 22 0D 0A 43 6F 6E 74 65 6E 74 2D 54  .scr"..Content-T
> 72 61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67  ransfer-Encoding
> 3A 20 62 61 73 65 36 34 0D 0A 43 6F 6E 74 65 6E  : base64..Conten
> 74 2D 49 44 3A 20 3C 45 41 34 44 4D 47 42 50 39  t-ID: <EA4DMGBP9
> 70 3E 0D 0A 0D 0A 54 56 71 51 41 41 4D 41 41 41  p>....TVqQAAMAAA
> 41 45 41 41 41 41 2F 2F 38 41 41 4C 67 41 41 41  AEAAAA//8AALgAAA
> 
> <snip>
> 
> 
> 
> 
> bthaler at ...2720... wrote:
> 
>> Does anyone have a rule for the new W32.Badtrans.B at ...4138... virus going around?
>> I'm getting flooded with it, and was hoping to be able to keep track 
>> of it.
>>
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 


-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...





More information about the Snort-users mailing list