Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
0
Helpful
1
Replies

Mumu

abwood
Level 1
Level 1

‎06-27-2003 08:52 AM - edited ‎03-09-2019 03:50 AM

Are there any plans to create a signature for the new Mumu worm?

Also, does anybody have any data about creating a custom sig that would capture the worm's traffic?

Thanks.

Labels:
0 Helpful
1 Reply 1

mcerha
Level 3
Level 3

‎06-30-2003 07:55 AM

We generally don't write signatures these types of worms because they mutate so fast. However, 4.0 sensors should catch infected hosts with signature 3320 "SMB: ADMIN$ hidden share access attempt". This is a 4.0 only signature. You would see an infected host as the source for many of these alarms. Because the worm tries to bruteforce passwords, signature 6255 "SMB Authorization Failure" may also fire.

0 Helpful
Customers Also Viewed These Support Documents