[Snort-users] Fizzer Virus Signature

L. Christopher Luther CLuther at ...6333...
Tue May 13 10:51:05 EDT 2003


Jeremy

I'm not familiar with this particular worm, but the |00| (i.e., null byte)
interspersed between 'normal' characters is used to handle Windoze's unicode
strings.  


Cheers! 

- Christopher


-----Original Message-----
From: Jeremy Junginger [mailto:jj at ...9165...]
Sent: Tuesday, May 13, 2003 1:09 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Fizzer Virus Signature


Has anyone written a signature for the Fizzer worm?  I found these on
Symantec's site, they are written for ManHunt, but they look very much
like Snort signatures, plus they load okay (I put them in fizzer.rules).
Could you take a look at them and let me know if I'm on the right
track??

alert tcp any any -> any any
(msg:"W32.HLLW.Fizzer at ...4138...";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|
00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00|
|00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00|
|00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00
|e|00|x|00|e";nocase;)

alert udp any any -> any any
(msg:"W32.HLLW.Fizzer at ...4138...";content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|
00|t|00|(|00|R|00|)|00| |00|W|00|i|00|n|00|d|00|o|00|w|00|s|00|
|00|(|00|R|00|)|00| |00|S|00|y|00|s|00|t|00|e|00|m|00|
|00|I|00|n|00|i|00|t";nocase;content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00
|e|00|x|00|e";nocase;)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer at ...4138...";content:"AHMAZQByAHYAYwAuAGUAeABl";)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer at ...4138...";content:"AGwAcwBlAHIAdgBjAC4AZQB4";)

alert tcp any any -> any 25
(msg:"W32.HLLW.Fizzer at ...4138...";content:"AbABzAGUAcgB2AGMALgBlAHg";)

Many Thanks!  Also, could someone clarify what's going on with the |00|
stuff?  I've seen it here and there, but don't really understand it.  I
can see the obvious "Microsoft R Windows System Init" and "lservc.exe"
(which looks strange, because it should be looking for iservc.exe AFAIK.
Anyhow, thanks!

-Jeremy


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list