-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bruno,

That's the MIME encoded version of part of the worm; the signature will
trigger as the worm passes across the network attached to an email.

- From what I've seen travelling across the wire in my work with the worm, that
signature matches email transmission.

M

On Tuesday 08 October 2002 07:34 am, Bruno Sicchieri wrote:
> In-Reply-To: <Pine.BSO.4.44.0210032015410.16473-100000birdie.sekure.net>
>
> Well, I´ve got a lot of files infected by BugBear but none of then has the
> content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/x
> WcEQmDxCTD", and I can´t find a reg.exp. that matchs in any file.
>
> I don´t know, for me this sig doesn´t work.
>
> Has anybody another sig?
>
> >On Thu, 3 Oct 2002, Elijah Savage wrote:
> >> Is there a way to detect this worm with snort to see how often it is
> >> traversing our network?
> >
> >Yes. This is what Shane Williams wrote on the snort-sigs maillinglist:
> >
> >--
> >I've spent some time today looking into this and here's the rule I've
> >come up with to find it in SMTP traffic. Someone feel free to
> >optimize it if necessary (I try not to use some of the new rule
> >features to maintain some backward compatability).
> >
> >alert tcp any any -> any 25 (msg:"BugbearMM virus in SMTP";
> >content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/
>
> xWcEQmDxCTD";
>
> >sid:900001; classtype:misc-activity;
> >rev:1;)

- --
| Michael Murray, CISSP <mmurraynCircle.com>
| Manager, Exposure Research and Ontology
| nCircle Network Security 415-625-5968
| cell - 415.297.3576

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9o6c8UsC8b1YJAp8RAmpKAJ4+Bob2gu/V11Bh3KsXHbogvKZFcwCdGDCN
WoQMmkdwKdjLAyinLjoGM9M=
=Gp5S
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]