[Dshield] F-Secure Radar2 Alert

Mark Tombaugh mtombaugh at alliedcc.com
Fri Jan 20 22:51:12 GMT 2006


Whatever its called, the snort sigs at bleeding for Nyxem-D do catch the
sample sent to me. Many thanks to Tom Shaw.

http://www.bleedingsnort.com
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/rules/bleeding-virus.rules?r1=1.842&r2=1.843

Keep in mind that this these are pretty weak signatures. They do catch
almost all Nyxem-D (VB-8) and the single new variant
(d41d8cd98f00b204e9800998ecf8427e) I looked at. They should never be
depended on for prevention. However, they should be good enough to spot
an infection on your network when its spamming, or possibly reduce
server load if it gets out of hand on the Internet. Looking for shares
containing winzip_tmp.exe on your network might be another, possibly
better, way to find it locally.

Clam:   Worm.VB-9 
BDC:    Win32.Worm.P2P.ABM
NAI:    W32/MyWife.d at MM

tgif,
Mark





More information about the list mailing list