Nachi/Welchia signature

Steve Bernard sbernard at gmu.edu
Tue Aug 19 14:39:13 GMT 2003


I've built a tcpdump filter to search for Nachi/Welchia worm traffic. So far
I'm seeing one dial-up user who's computer is constantly pinging an address
in Yahoo's domain which resolves as, UNKNOWN-64-58-77-85.yahoo.com. The host
was sending echo-requests every 3 to 4 seconds.

My current tcpdump filter is:

'icmp[icmptype]==icmp-echo && icmp[32]==0xAA && icmp[33]==0xAA &&
icmp[34]==0xAA && icmp[35]==0xAA'

This looks for ICMP echo-requests in which the first 4 data bytes are each
0xAA (hex) or 170 (decimal).
Suggestions for improvement or simplification are welcome.

Has anyone built a filter which will look for outbound TCP requests to ports
666 thru 765, as indicated by Symantec's updated discussion? My fingers are
feeling lazy and I don't have an auto-generation script written yet ;)


Regards,

Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia



More information about the unisog mailing list