[Snort-users] Strange ICMP traffic. Perhaps a worm?

Jim Brown jpb at ...10281...
Tue Dec 16 17:30:00 EST 2003


* adam.w.hogan <adam.w.hogan at ...9362...> [2003-12-15 11:02]:
> 
> A lot of those alerts indicates the Nachi/Welchia worm.
> 
> http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
> 
> -----Original Message-----
> From: Harry M [mailto:harrym at ...10739...]
> Sent: Thursday, December 11, 2003 6:01 PM
> To: snort-users
> Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm?
> 
> 
> I'm getting lots of ICMP traffic that looks pretty odd to me. They are all
> ping packets with a fairly strange payload:
> 
> 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 

This is a recon for Nachi/Welcia.  You should read:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html 
http://vil.nai.com/vil/content/v_100559.htm 
http://www.microsoft.com/technet/security/virus/alerts/nachi.asp . 

Best Regards,
jpb
===





More information about the Snort-users mailing list