TCPDUMP/PCAP signature for W32.Witty worm - CORRECTED

Stephen Bernard sbernard at
Mon Mar 22 21:12:35 GMT 2004

I fat fingered a single character in the previous example that I 
provided. The corrected version is here:

(udp) && (udp[0:2] == 0xfa0) && (udp[2:2] > 0x401) && (udp[131:4] == 
0x696e7365) && (udp[135:4] == 0x72742077) && (udp[139:4] == 0x69747479)


Steve Bernard
Sr. Systems Engineer, NET
George Mason University

More information about the unisog mailing list