Security Incidents mailing list archives
RE: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email?
From: "Chris Harrington" <cmh () nmi net>
Date: Wed, 28 Jan 2004 09:10:50 -0500
Symantec's ManHunt reportedly has a signature. Here is a Snort signature I saw on the mailing list: alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;) ISS has a trons rule for the traffic: http://xforce.iss.net/xforce/xfdb/14958 -- Christopher Harrington, CISSP Security Engineer NMI InfoSecurity Solutions 207-780-6381, x236 http://www.nmi.net -----Original Message----- From: falcon () secureconsulting net [mailto:falcon () secureconsulting net] Sent: Tuesday, January 27, 2004 2:24 PM To: incidents () securityfocus com Subject: Re: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email? Has anybody developed a good IDS sig for catching the traffic? AV vendors don't seem to care about the network analysis of the traffic. If anybody has a completed nw analysis and ideas for a sig, would love to see it, save myself some work. ;)
Ok, after sorting through about 30 messages that all point out that AV vendors have signatures for the virus, I am rejecting all of them. In summary: There is a fast spreading worm, write-ups are available at your preferred AV site, and I would prefer that discussion about this, on this list, should confine itself to the resulting implications of the worm (proxies, etc), rather than stopping it at the SMTP gateway or cleaning it from systems. D On Tue, 27 Jan 2004, Nigel Frankcom wrote:Hi All, Over the last 2 hours our mail servers have seen a dramatic rise in Mydoom virus emails. So far neither Panda nor McAfee are detecting it - tho the following Content Filter is working for us: *C_o_n_tent-Transfer-Encoding: 7bit* (remove _'s) Subject seems to morph as each new wave is released. Most connections *seem* to be from private machines. Numbers are rising. Regards Nigel---------------------------------------------------------------------- -----
-------------------------------------------------------------------------- --
-------------------------------------------------------------------------- - -------------------------------------------------------------------------- --
Attachment:
smime.p7s
Description:
Current thread:
- Anyome else seeing a rise in Mydoom Viruses over email? Nigel Frankcom (Jan 27)
- (Moderator Note) Re: Anyome else seeing a rise in Mydoom Viruses over email? Dan Hanson (Jan 27)
- Re: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email? falcon (Jan 27)
- RE: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email? Chris Harrington (Jan 28)
- RE: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email? falcon (Jan 28)
- Re: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email? falcon (Jan 27)
- (Moderator Note) Re: Anyome else seeing a rise in Mydoom Viruses over email? Dan Hanson (Jan 27)
- <Possible follow-ups>
- Fw: Anyome else seeing a rise in Mydoom Viruses over email? Henrique Cabral (Jan 27)
- Re: Fw: Anyome else seeing a rise in Mydoom Viruses over email? Matt Curtin (Jan 28)
- Re: Fw: Anyome else seeing a rise in Mydoom Viruses over email? Patrick Nolan (Jan 28)
- Re: Fw: Anyome else seeing a rise in Mydoom Viruses over email? Joe Matusiewicz (Jan 28)
- Re: Fw: Anyome else seeing a rise in Mydoom Viruses over email? Matt Curtin (Jan 28)
- RE: Anyome else seeing a rise in Mydoom Viruses over email? Thompson, Jimi (Jan 28)