[Snort-users] New virus zotob signature

Troy Solo solo at ...1121...
Tue Aug 16 11:20:46 EDT 2005


 From another source:

alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 
Plug and Play Vulnerability"; flow:to_server,established; 
content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; 
offset:65; 
content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; 
classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 
2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; 
depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; 
content:"|3600|"; offset:110; within:5; 
content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; 
classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft 
Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; 
depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; 
content:"|3600|"; offset:110; within:5; 
content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; 
classtype:attempted-admin; sid:1000132; rev:1;)



Cesar Sanabria Pineda wrote:
> Hi all, Does anobody has the signature for the new virus zotob that
> exploits MS05-039?
> 
> Cesar Sanabria Pineda <csanab at ...12650...>




More information about the Snort-users mailing list