RE: pif WORM?

["Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>]

It's likely to be the W32.Sircam virus.  It is sent through email as
attached .pif files.  
The snort homepage has rules to trigger on the email text if you wanted to
get more specific alerts.

I'm getting about two SirCam's per day at home..  Sadly, most are from
members of the InfoSec mailings lists that I belong to..  (I don't think any
are from this list, though :-)

Some people's kids!!...
/Dan Hawrylkiw

-----Original Message-----
From: john.ruff () us abb com [mailto:john.ruff () us abb com]
Sent: Monday, August 13, 2001 10:52 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] pif WORM?




Anyone have specific deatils rergarding this entry in my ALERT_FULL snort
lof
file:

[**] [1:721:1] Virus - Possible pif Worm [**]
08/13-13:24:12.370939 207.217.120.162:110 -> 130.110.95.77:1417
TCP TTL:42 TOS:0x0 ID:63795 IpLen:20 DgmLen:1044
***AP*** Seq: 0xAC838C68  Ack: 0x14BBA  Win: 0xFAF0  TcpLen: 20

[**] [1:729:1] Virus - Possible scr Worm [**]
08/13-13:24:38.676198 207.217.120.162:110 -> 130.110.95.77:1417
TCP TTL:42 TOS:0x0 ID:64225 IpLen:20 DgmLen:1051
***A**** Seq: 0xAC898900  Ack: 0x14CA4  Win: 0xFAF0  TcpLen: 20

Thanks,
John



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users