Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
2
Replies

IDS signature for "Win32.Agobot"

dfisher
Level 1
Level 1

‎04-29-2004 09:42 AM - edited ‎03-09-2019 07:14 AM

We are getting alot of this worm on our campus.

It;s a backdoor-type virus that trys to access NT clients in various ways.

According to the Computer Associates "Virus Information Center", it was first detected about April 25.

Is there a current or planned IDS signature for it?

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

derwalke
Level 1
Level 1

‎04-30-2004 04:56 AM

This worm/virus/trojan has multiple variants as uses multiple exploits to do it's work. We will not be releasing a signature specific to this version, but if you read my post about phatbot (a cousin to this one) you'll see how deep our coverage is, as this class of worm/virus/trojan uses a swiss army knife of exploits to get its job done.

http://www.cisco.com/cgi-bin/front.x/csec/view.pl?VID=3913

0 Helpful

dpatkins
Level 1
Level 1

‎05-12-2004 05:45 AM

I know it is very archaic method, but we created a signature for TCP ports 445 and also 2745. THis seems to have identified them. I made it a sweep.host.tcp and made the minimum hits 300 for port 445 and 100 for port 2745.

0 Helpful
Customers Also Viewed These Support Documents