2375.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:  

--
Sid:
2375

--
Summary:
This event is generated when activity from the worm DoomJuice is
detected. 

--
Impact:
This is indicative of worm activity which may launch of a Denial of
Service condition against Microsoft from infected machines.

--
Detailed Information:
This event is indicative of activity by the DoomJuice worm. This worm
attempts to connect to random addresses on port 3127, if it receives a
response it will attempt to upload a copy of itself to the target
machine. If no response is received on that port, it will try on ports
between 3127 and 3199.

If the date is between February 8th and February 28th 2004, the worm
will attempt to launch a Denial of Service (DoS) attack against
www.microsoft.com.

--
Affected Systems:
	Windows 95
	Windows 98
	Windows Me
	Windows NT
	Windows 2000
	Windows XP
	Windows Server 2003

--
Attack Scenarios:
This is worm activity.

--
Ease of Attack:
Simple.

--
False Positives:
None Known

--
False Negatives:
It is possible to edit the binary data in the executable to create a
variant of the worm. This may evade the rule.

--
Corrective Action:
Use Anti-Virus software to remove the worm.

--
Contributors:
Sourcefire Research Team
Matt Watchinski <matthew.watchinski@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

--