TCPDUMP/PCAP signature for W32.Witty worm - CORRECTED

Stephen Bernard sbernard at gmu.edu
Mon Mar 22 21:12:35 GMT 2004


I fat fingered a single character in the previous example that I 
provided. The corrected version is here:

(udp) && (udp[0:2] == 0xfa0) && (udp[2:2] > 0x401) && (udp[131:4] == 
0x696e7365) && (udp[135:4] == 0x72742077) && (udp[139:4] == 0x69747479)


Regards,

Steve Bernard
Sr. Systems Engineer, NET
George Mason University



More information about the unisog mailing list