Common Worms/Viruses

This is just a quick list of worms/viruses that have plagued mankind over the last year or so. I have tried to include the most bothersome ones such as Code Red as well as the more interesting or novel worms. Common behaviors include means of transmission, victim selection methods, and social engineering techniques.

Organization

These have been loosely categorized as the following:
Windows Worms - Require NO human interaction to spread.
UNIX/Linux Worms - Same as above.
Email/WWW/Shares/IRC - Require some human interaction - open attachment, view mail, execute program, etc.

Then, within each category they have been further divided into:
Novel or Otherwise Important - Either it is the first of its kind, does something new, or gained a lot of attention for some other reason.
Copiers of Less Consequence - Nothing new, but included for the sake of completeness.

Links to more worm information

Cert
F-Secure - Their virus section has information relating to both worms and viruses.

Most Recent Worms

Klez - January 2002
Sharpei - Feb. 2002: Attacks .NET architecture
Donut - Jan. 2002: "First" to attack .NET architecture

Windows Worms

Novel or Otherwise Important:

Nimda Worm
Code Red v1
Code Red II
sadmind/IIS Worm(Widows/Solaris)

Copiers of Less Consequence:


UNIX/Linux Worms

Novel or Otherwise Important:

Adore Worm
BIND vulnerabilities
Lion Worm
Cheese Worm
Ramen toolkit

Copiers of Less Consequence:


Email/WWW/Shares/IRC (viruses)

Novel or Otherwise Important:

Melissa Macro Virus
Love Letter
W32/Sircam Malicious Code
W32/BadTrans Worm
W32/Goner Worm

Copiers of Less Consequence:

VBS/OnTheFly (Anna Kournikova) Malicious Code

Others that we might want to look at:

CIH Chernobyl

Happy 99

Worm.ExploreZip

Bubbleboy

The Love Bug or I LOVE YOU



Snort Signatures

Code Red v1
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; rev:2;)
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2;)
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1244; rev:2;)
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; rev:2;)

Note that these rules tend to over generalize, requiring admins to reduce false alarms by inserting large numbers of exempt or exception rules.

Code Red v2
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:3;)
This rule is rather targetted, but is easily thwarted by adding a polymorphic script name instead of root.exe.

Nimda Worm
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295; rev:2;)
Here are signatures for three of the Nimda infection vectors (email, web, and file shares)

Ramen toolkit
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flags: A+; content: "GET "; depth: 8; nocase;reference:arachnids,460; classtype:bad-unknown; sid:506; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm outgoing"; flags: A+; content: "GET "; depth: 8; nocase;reference:arachnids,461;classtype:bad-unknown; sid:514; rev:1;)
Nothing special here, just look for communication on a specific port doing CGI GET requests. Two rules are needed to cover both incoming and outgoing attacks.

sadmind/IIS Worm
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC sadmind worm access"; flags:A+; content:"GET x HTTP/1.0"; offset:0; depth:15; classtype:attempted-recon; reference:url,www.cert.org/advisories/CA-2001-11.html; sid:1375; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; flags:A+; sid:1272; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:2;)
Rules for both the sadmind worm and its RPC infection mechanisms. The RPC signatures look for part of the shellcode in the buffer overflow. The IIS signature just looks at "GET x HTTP/1.0" web server requests.

BIND vulnerabilities
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; flags:A+; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; classtype:attempted-admin; sid:314; rev:5; reference:cve,CVE-2001-0010; reference:bugtraq,2302;)
Again, these attempt to match known shellcode used to exploit the BIND service.

Love Letter
W32/Sircam Malicious Code
VBS/OnTheFly (Anna Kournikova) Malicious Code
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase; sid:795; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase; sid:796; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase; sid:798; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase; reference:MCAFEE,98674; sid:799; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase; reference:MCAFEE,98661; sid:800; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase; sid:801; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; content: "filename=\"tune.vbs\""; nocase; reference:MCAFEE,10497; sid:740; classtype:misc-activity; rev:3;)
Outlook hides known file extensions (unless disabled), so this has become a common way to trick the user into opening an infected message. The above signatures attempt to detect the transmission of such mass-mailer worms.

W32/Goner Worm
alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;)
Looks for transmission of MS screensaver files (.scr)


Addam Schroll
Last modified: Mon Feb 25 17:33:27 EST 2002