[Snort-users] Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R?

SN ORT snort_on_acid at ...131...
Mon Feb 2 06:46:13 EST 2004

Hello Dr. Martin,
I don't believe that rule would work at all unless the
message misspells "respresented" Hehe..

BTW, SCO is already report a DoS of their site due to
this worm and are offering a $250,000 reward for the
worm writers and it is not Feb. 1 yet!

I just finished an email that addressed the new worm
rules which basically stated that I used the existing
"VIRUS OUTBOUND .pif/.scr file attachment" rules to
find out who had it here, and it worked flawlessly.
Good luck.



Message: 5
Subject: RE: [Snort-users] Re: [Snort-sigs] New Worm /
Date: Wed, 28 Jan 2004 13:28:13 -0600
From: "Martin Jr., D. Michael"
<martinm at ...10218...>
To: <sam at ...5202...>,
	"Joe Stewart" <jstewart at ...262...>
Cc: <snort-sigs at lists.sourceforge.net>,
	<snort-users at lists.sourceforge.net>

The MyDoom/Novarg virus won't start utilizing port 80
until February 1st
when it attempts the denial of service on SCO.com. 
(See other related
email.)  But that does, however, pose an interesting

Does anyone have a signature for detected the actual
infection of

I have seen this one:
alert tcp any any -> any any (msg:"MyDoom"; content:
"respresented in
7-bit ASCII"; nocase; sid: 1000569; classtype:

BUT, according to NAI
(http://vil.nai.com/vil/content/v_100983.htm) and
.html) there are many variations on the infection
algorithm.  This one
apparently only looks for SMTP traffic with
"represented in 7-bit ASCII"
in the packet.


D. Michael Martin, Jr.
Network Administrator
University of Montevallo

Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!

More information about the Snort-users mailing list