Snort mailing list archives

Re: New virus zotob signature

From: Troy Solo <solo () dok org>
Date: Tue, 16 Aug 2005 13:19:13 -0500

From another source:

alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000Plug and Play Vulnerability"; flow:to_server,established;content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2;offset:65;content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx;classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65;content:"|3600|"; offset:110; within:5;content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx;classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS MicrosoftWindows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65;content:"|3600|"; offset:110; within:5;content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx;classtype:attempted-admin; sid:1000132; rev:1;)




Cesar Sanabria Pineda wrote:

Hi all, Does anobody has the signature for the new virus zotob that
exploits MS05-039?

Cesar Sanabria Pineda <csanab () ife org mx>



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

New virus zotob signature Cesar Sanabria Pineda (Aug 15)
- Re: New virus zotob signature Banshee (Aug 15)
- Re: New virus zotob signature Troy Solo (Aug 16)
- <Possible follow-ups>
- Re: New virus zotob signature Jason Brvenik (Aug 15)