[Snort-users] Elkern Worm

Terence Runge terencerunge at ...9090...
Tue May 27 14:17:06 EDT 2003

If memory serves me right, Elkern relies on easily cracked passwords 
with Administrator permissions in order to infect your Windows shares. 
Run an xscan against one of your infected systems and check for a weak 
or non-existent Adminstrator password.


Lorraine Cannavale wrote:

>I just sent an e-mail to the snort-sigs list seeking a rule or ruleset to
>detect the Elkern worm (if anyone in this group has the rule, your response
>is welcome).
>But, I would really like some tips and advice on controlling the Elkern worm
>on our network.  We have antivirus software installed on each workstation,
>and it should be configured to obtain the latest virus definitions daily.
>However, we do not have an accurate way (today) of determining if
>workstations do in fact have the latest AV signatures, nor do we have a way
>of determining what workstations may be infected with viruses.  Our shared
>folders on servers keep getting re-infected with the Elkern virus.
>Any help and suggestions would be appreciated.
>Thank you in advance,
>This SF.net email is sponsored by: ObjectStore.
>If flattening out C++ or Java code to make your application fit in a
>relational database is painful, don't do it! Check out ObjectStore.
>Now part of Progress Software. http://www.objectstore.net/sourceforge
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list