|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] Re: [Snort-sigs] New Worm / Virus - WORM_MIMAIL.R?
From: Bryan Irvine (bryan.irvine
kingcountyjournal.com)
Date: Mon Jan 26 2004 - 17:01:07 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't believe it's a new variant, but rather a whole new virus
altogether. But, it's so new nobody really knows much about it.
Read about it here.
http://vil.nai.com/vil/content/v_100983.htm
It's called Mydoom or Dumaruy. Very high risk. We just blocked all
.zips until the virus vendors release new definitions/cleaners.
Hope your day isn't as hectic as mine because of this damn thing.
--Bryan
On Mon, 2004-01-26 at 13:42, samneuroflux.com wrote:
> All:
>
> We are experiencing what appears to be a new varient of the MIMAIL virus.
> We've had several machines infected now, and I've created a quick
> signature:
>
> alert tcp any any -> any any (msg: "Test Virus Pattern"; content:
> "represented in 7-bit ASCII"; nocase; sid:1000569;)
>
> The contents of the message, atleast from what we have gathered is this:
>
> The subject is: Hi
>
> The body, at least once it comes into our exchange server is:
>
> represented in 7-bit ASCII
>
> The attachments are stored inside an .zip file, but are either .scr, .pif,
> .exe etc. etc.
>
> What we've discovered thus far:
>
> * The worm also has its own SMTP engine, and therefore any infected
> machine started mass mailing to the internet.
>
> * We've been on the phone with Symantec and Trend, and they are currently
> investigating and creating new signatures.
>
> * Some of the attachments come in as status.zip.
>
> * Thought I'd pass this along incase anyone else is stumped.
>
> -Sam
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigslists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]