This string resulted positive in all SMTP tests (not the virus itself, but sending emails w/ the an infected ZIP attached).
52 71 67 4E 64 65 42 4F 76 33 4F 71 4A 45 46 30
The previous tests involved SMB (copying the file to a network share).. The packet sizes evidently ended smaller with SMTP and my original string got split over two packets.
So.. I have no idea if either string will match when the virus tries to copy over port 3127 (the only untested protocol), but I have rules with both strings setup and waiting patiently.
Jason Brewer wrote:
> I was able to get my hands on two copies of the virus.. They are > slightly different > in size and definitely have different md5sums. > > > > I created a couple of signatures using this string that matched in both > files: > > 25 E5 6C D1 3C 2B 44 53 A8 34 B0 C1 14 3F E4 37 > > > > I'm monitoring ports 25, 135:139, 445, and 3127 with this signature to > try and catch > all methods of propagation.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
