[Snort-users] Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R?

SN ORT snort_on_acid at ...131...
Mon Feb 2 06:46:13 EST 2004


Hello Dr. Martin,
I don't believe that rule would work at all unless the
message misspells "respresented" Hehe..

BTW, SCO is already report a DoS of their site due to
this worm and are offering a $250,000 reward for the
worm writers and it is not Feb. 1 yet!

I just finished an email that addressed the new worm
rules which basically stated that I used the existing
"VIRUS OUTBOUND .pif/.scr file attachment" rules to
find out who had it here, and it worked flawlessly.
Good luck.

Cheese!

Marc

---------------------Original
Message------------------
Message: 5
Subject: RE: [Snort-users] Re: [Snort-sigs] New Worm /
Virus - WORM_MIMAIL.R?
Date: Wed, 28 Jan 2004 13:28:13 -0600
From: "Martin Jr., D. Michael"
<martinm at ...10218...>
To: <sam at ...5202...>,
	"Joe Stewart" <jstewart at ...262...>
Cc: <snort-sigs at lists.sourceforge.net>,
	<snort-users at lists.sourceforge.net>

The MyDoom/Novarg virus won't start utilizing port 80
until February 1st
when it attempts the denial of service on SCO.com. 
(See other related
email.)  But that does, however, pose an interesting
question...

Does anyone have a signature for detected the actual
infection of
systems?

I have seen this one:
alert tcp any any -> any any (msg:"MyDoom"; content:
"respresented in
7-bit ASCII"; nocase; sid: 1000569; classtype:
Possible-VIRUS;)

BUT, according to NAI
(http://vil.nai.com/vil/content/v_100983.htm) and
Symantec
(http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@...4138...
.html) there are many variations on the infection
algorithm.  This one
apparently only looks for SMTP traffic with
"represented in 7-bit ASCII"
in the packet.

Suggestions?


D. Michael Martin, Jr.
Network Administrator
University of Montevallo
-------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/




More information about the Snort-users mailing list