Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Michael Murray (mmurray_at_ncircle.com)
Date: Tue Oct 08 2002 - 22:49:12 CDT
-----BEGIN PGP SIGNED MESSAGE-----
That's the MIME encoded version of part of the worm; the signature will
trigger as the worm passes across the network attached to an email.
- From what I've seen travelling across the wire in my work with the worm, that
signature matches email transmission.
On Tuesday 08 October 2002 07:34 am, Bruno Sicchieri wrote:
> In-Reply-To: <Pine.BSO.4.44.0210032015410.16473-100000birdie.sekure.net>
> Well, Iīve got a lot of files infected by BugBear but none of then has the
> WcEQmDxCTD", and I canīt find a reg.exp. that matchs in any file.
> I donīt know, for me this sig doesnīt work.
> Has anybody another sig?
> >On Thu, 3 Oct 2002, Elijah Savage wrote:
> >> Is there a way to detect this worm with snort to see how often it is
> >> traversing our network?
> >Yes. This is what Shane Williams wrote on the snort-sigs maillinglist:
> >I've spent some time today looking into this and here's the rule I've
> >come up with to find it in SMTP traffic. Someone feel free to
> >optimize it if necessary (I try not to use some of the new rule
> >features to maintain some backward compatability).
> >alert tcp any any -> any 25 (msg:"BugbearMM virus in SMTP";
> >sid:900001; classtype:misc-activity;
| Michael Murray, CISSP <mmurraynCircle.com>
| Manager, Exposure Research and Ontology
| nCircle Network Security 415-625-5968
| cell - 415.297.3576
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----