04-29-2004 09:42 AM - edited 03-09-2019 07:14 AM
We are getting alot of this worm on our campus.
It;s a backdoor-type virus that trys to access NT clients in various ways.
According to the Computer Associates "Virus Information Center", it was first detected about April 25.
Is there a current or planned IDS signature for it?
Thanks in advance.
04-30-2004 04:56 AM
This worm/virus/trojan has multiple variants as uses multiple exploits to do it's work. We will not be releasing a signature specific to this version, but if you read my post about phatbot (a cousin to this one) you'll see how deep our coverage is, as this class of worm/virus/trojan uses a swiss army knife of exploits to get its job done.
05-12-2004 05:45 AM
I know it is very archaic method, but we created a signature for TCP ports 445 and also 2745. THis seems to have identified them. I made it a sweep.host.tcp and made the minimum hits 300 for port 445 and 100 for port 2745.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide