[Snort-users] New snort rule for WORM_NETSKY.B yet PLEASE???

Matt Kettler mkettler at ...4108...
Wed Feb 18 09:27:05 EST 2004

At 10:15 AM 2/18/2004, Snortty wrote:
>This one seems to be getting ready, or already spread
>like the last time, any rule to apply to detect it yet?

Hardly urgent, as nobody should be using snort as a first-line-of-defense 
against mail worms.. That's what putting a virus scanner on your mailserver 
is for.

However, it would be handy to have a signature for this things file-share 

Details on the worm can be found here

The clamAV signature for this thing is:

Which is a rather long signature to be looking for in packets via snort, 
but it's a start. (note that clamav signatures are just virusname=(hex 

Note: the above signature is extracted from clamav daily.cvd version 134, 
and thus is likely Copyrighted with GPL licensing like the rest of clamav.
         You can obtain all of clamav, and it's source code from: 

More information about the Snort-users mailing list