Kamasutra Signature

facundog · ‎01-31-2006

Is the Kamasutra worm signature available? If it is not available yet... is ther any workaround to detect and prevent the worm?

Regards

jlimbo · ‎01-31-2006

Correct me if I am wrong however this looks to be another alias for the blackworm. There was a custom signature provided under the blackworm thread:

In the meantime you can use the following custom signature to catch WORM_GREW.A also known as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife, Win32/Blackmal.F:

Engine: String.TCP

Service Port: 25

Regex String :

\x6d\x41\x70\x4d\x6a\x74\x64\x4e\x45\x51\x78\x4a\x7a\x49\x6a\x53\x79\x46\x49\x4f\x44\x30\x4e\x43\x6b\x31\x4b\x57\x6c\x51\x70\x4e

jarhead354 · ‎02-01-2006

I'm new to creating rules. Can you give me the steps needed to create this rule using the IDM Gui interface to a 4255 running 5.0? Things like what engine to use and where to put the Regex string.

jdal · ‎02-02-2006

Go to

Configuration | Signature Definition | Signature Configuration

Click on the "Add" button.

-> New popup with the signature parameters

Select String TCP as an engine

->New parameters appear

Configure "Regex String" and "Service Ports" as mentionned previously.

Click "OK"

Click "APPLY"