Snort mailing list archives

Previous By Date Next
Previous By Thread Next

KLEZ

From: Alejandro Flores <aflores () ipad com br>
Date: 25 Apr 2002 18:38:25 -0300
        Hi all,

        Having a look at those KLEZ virus I'm receiving every day, I found that
the start of the attachment is always the same:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAA

        Let me know if I'm right and if with this rule we can block this out:


alert tcp any 110 -> any any (msg:"Virus - KLEZ";
content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAA"; sid:720;
classtype:misc-activity; rev:3; resp:rst_all;)

        I'm testing it on pop3, but I think that it will have to be working on
smtp.

See ya,
Alejandro Flores



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: