[Snort-users] Elkern Worm

Kenneth G. Arnold bkarnold at ...8060...
Tue May 27 12:32:10 EDT 2003

I was under the impression that Elkern was caused by Klez.  Any machines 
that I found infected with Klez also had Elkern.  It may also be possible 
to become infected with Elkern independently.

Symantec says:
NOTE: This virus is associated with and can be dropped by either W32.Klez.A 
or W32.Klez.D. Please read those write-ups for additional information.

I have determined a way to detect a machine infected with Klez.  Infected 
machines try to send email using various mailservers.  One of them is so:

alert tcp $HOME_NET any -> 25 (msg:"Klez infection likely"; 

would find machines trying to send email using that particular 
server.  Every machine setting off this alert has been infected with 
Klez  There may be other machines infected that don't use this particular 

As far as finding out which machines are not current with their virus 
definitions, you could set up an alert to fire when a machine connects to 
the source of the virus definitions.  A machine that did not set off the 
alert is not getting current virus definitions.  I know this is alerting on 
a good thing rather than a bad thing but it is a possible way to determine 
which machines are not updating virus definitions.


At 02:06 PM 5/27/2003 -0400, Lorraine Cannavale wrote:
>I just sent an e-mail to the snort-sigs list seeking a rule or ruleset to
>detect the Elkern worm (if anyone in this group has the rule, your response
>is welcome).
>But, I would really like some tips and advice on controlling the Elkern worm
>on our network.  We have antivirus software installed on each workstation,
>and it should be configured to obtain the latest virus definitions daily.
>However, we do not have an accurate way (today) of determining if
>workstations do in fact have the latest AV signatures, nor do we have a way
>of determining what workstations may be infected with viruses.  Our shared
>folders on servers keep getting re-infected with the Elkern virus.
>Any help and suggestions would be appreciated.
>Thank you in advance,
>This SF.net email is sponsored by: ObjectStore.
>If flattening out C++ or Java code to make your application fit in a
>relational database is painful, don't do it! Check out ObjectStore.
>Now part of Progress Software. http://www.objectstore.net/sourceforge
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list