01-31-2006 12:34 PM - edited 03-10-2019 01:52 AM
Is the Kamasutra worm signature available? If it is not available yet... is ther any workaround to detect and prevent the worm?
Regards
01-31-2006 06:39 PM
Correct me if I am wrong however this looks to be another alias for the blackworm. There was a custom signature provided under the blackworm thread:
In the meantime you can use the following custom signature to catch WORM_GREW.A also known as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife, Win32/Blackmal.F:
Engine: String.TCP
Service Port: 25
Regex String :
\x6d\x41\x70\x4d\x6a\x74\x64\x4e\x45\x51\x78\x4a\x7a\x49\x6a\x53\x79\x46\x49\x4f\x44\x30\x4e\x43\x6b\x31\x4b\x57\x6c\x51\x70\x4e
02-01-2006 10:15 AM
I'm new to creating rules. Can you give me the steps needed to create this rule using the IDM Gui interface to a 4255 running 5.0? Things like what engine to use and where to put the Regex string.
02-02-2006 04:25 AM
Go to
Configuration | Signature Definition | Signature Configuration
Click on the "Add" button.
-> New popup with the signature parameters
Select String TCP as an engine
->New parameters appear
Configure "Regex String" and "Service Ports" as mentionned previously.
Click "OK"
Click "APPLY"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: