[Snort-users] Elkern Worm
Kenneth G. Arnold
bkarnold at ...8060...
Tue May 27 12:32:10 EDT 2003
I was under the impression that Elkern was caused by Klez. Any machines
that I found infected with Klez also had Elkern. It may also be possible
to become infected with Elkern independently.
NOTE: This virus is associated with and can be dropped by either W32.Klez.A
or W32.Klez.D. Please read those write-ups for additional information.
I have determined a way to detect a machine infected with Klez. Infected
machines try to send email using various mailservers. One of them is
alert tcp $HOME_NET any -> 220.127.116.11/32 25 (msg:"Klez infection likely";
would find machines trying to send email using that particular
server. Every machine setting off this alert has been infected with
Klez There may be other machines infected that don't use this particular
As far as finding out which machines are not current with their virus
definitions, you could set up an alert to fire when a machine connects to
the source of the virus definitions. A machine that did not set off the
alert is not getting current virus definitions. I know this is alerting on
a good thing rather than a bad thing but it is a possible way to determine
which machines are not updating virus definitions.
At 02:06 PM 5/27/2003 -0400, Lorraine Cannavale wrote:
>I just sent an e-mail to the snort-sigs list seeking a rule or ruleset to
>detect the Elkern worm (if anyone in this group has the rule, your response
>But, I would really like some tips and advice on controlling the Elkern worm
>on our network. We have antivirus software installed on each workstation,
>and it should be configured to obtain the latest virus definitions daily.
>However, we do not have an accurate way (today) of determining if
>workstations do in fact have the latest AV signatures, nor do we have a way
>of determining what workstations may be infected with viruses. Our shared
>folders on servers keep getting re-infected with the Elkern virus.
>Any help and suggestions would be appreciated.
>Thank you in advance,
>This SF.net email is sponsored by: ObjectStore.
>If flattening out C++ or Java code to make your application fit in a
>relational database is painful, don't do it! Check out ObjectStore.
>Now part of Progress Software. http://www.objectstore.net/sourceforge
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users