[Snort-users] Klez sig detects Frethem-Fam

Detmar Liesen counter.spy at ...348...
Tue Jul 16 06:34:06 EDT 2002


Hi again,
granted, I haven't read my sigs mail thoroughly during the past few days, so
maybe this has already been discussed.

We are currently detecting lots of "Klez" worms with our snort, which are in
fact Frethem-Fam worms, so the two seem to be related or derived from each
other.
I can tell this from the AV alerts on our mail gateway.

Question:
Is there any means to distinguish the two from each other?
I'd rather not look for the "password" W8dqwq8q918213 (see reference
in-line)  
since this is likely to change. 
Has anybody created a sig for Frethem already?

Maybe it's no good to create additional signatures for each derived worm,
because this
has negative impact on snort performance. Snort is no AV tool anyway.

What do you recommend regarding worm/virus detection in snort?
Is this something we should leave to the AV software solely?

TIA,
Detmar

Additional Info:
http://www.sophos.com/virusinfo/analyses/w32frethemfam.html

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list