# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: virus.rules,v 1.16 2002/08/18 20:28:43 cazz Exp $
#------------
# VIRUS RULES
#------------
#
# NOTE: These rules are NOT being actively maintained.
#
#
# If you would like to MAINTAIN these rules, e-mail
# snort-sigs@lists.sourceforge.net
#

alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; content:"Suddlently"; sid:720;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible pif Worm"; content: ".pif"; nocase; sid:721;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; content: "NAVIDAD.EXE"; nocase; sid:722;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myromeo.exe"; nocase; sid:723;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myjuliet.chm"; nocase; sid:724;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "ble bla"; nocase; sid:725;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "I Love You"; sid:726;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Sorry... Hey you !"; sid:727;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "my picture from shake-beer"; sid:728;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible shs Worm"; content: ".shs"; nocase; sid:730;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:731;  classtype:misc-activity; rev:3;)
alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732;  classtype:misc-activity; rev:3;)
alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; content:"nongmin_cn"; reference:MCAFEE,98775; sid:733;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; content: "Software provide by [MATRiX]"; nocase;  sid:734;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Matrix has you..."; sid:735;  classtype:misc-activity; rev:3;)
alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; content: "funguscrack@hotmail.com"; nocase; sid:736;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase; sid:737;  classtype:misc-activity; rev:3;)
alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon"; reference:MCAFEE,98696; sid:738;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase; reference:MCAFEE,10389; sid:739;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; content: "filename=\"tune.vbs\""; nocase; reference:MCAFEE,10497; sid:740;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|"; reference:MCAFEE,10109; sid:741;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|"; reference:MCAFEE,10109; sid:742;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|"; reference:MCAFEE,10109; sid:743;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109; sid:744;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; content: "filename=\"XPASS.XLS\""; nocase; reference:MCAFEE,10145; sid:745;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|"; reference:MCAFEE,10225; sid:746;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase; sid:747;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|"; reference:MCAFEE,10388; sid:748;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|"; reference:MCAFEE,10471; sid:749;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; content: "filename=\"KAK.HTA\""; nocase; reference:MCAFEE,10509; sid:751;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; content: "filename=\"Suppl.doc\""; nocase; reference:MCAFEE,10361; sid:752;  classtype:misc-activity; rev:4;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase; reference:MCAFEE,10540; sid:753;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"MONEY.DOC\""; nocase; reference:MCAFEE,10502; sid:754;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; content: "filename=\"irok.exe\""; nocase; reference:MCAFEE,98552; sid:755;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; content: "filename=\"Fix2001.exe\""; nocase; reference:MCAFEE,10355; sid:756;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE\""; nocase; reference:MCAFEE,10505; sid:757;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; content: "filename=\"THE_FLY.CHM\""; nocase; reference:MCAFEE,10478; sid:758;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC\""; nocase; reference:MCAFEE,10502; sid:759;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase; reference:MCAFEE,10467; sid:760;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase; reference:MCAFEE,10540; sid:761;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase; reference:MCAFEE,10540; sid:762;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase; reference:MCAFEE,10540; sid:763;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase; reference:MCAFEE,10540; sid:764;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase; reference:MCAFEE,10540; sid:765;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase; reference:MCAFEE,10540; sid:766;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase; reference:MCAFEE,10540; sid:767;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase; reference:MCAFEE,10540; sid:768;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase; reference:MCAFEE,10540; sid:769;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase; reference:MCAFEE,10540; sid:770;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; content: "filename=\"Toadie.exe\""; nocase; reference:MCAFEE,10540; sid:771;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; content:"\\CoolProgs\\";offset:300;depth:750; reference:MCAFEE,10175; sid:772;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; content:"X-Spanska\:Yes"; reference:MCAFEE,10144; sid:773;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|"; sid:774;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; content:"BubbleBoy is back!"; reference:MCAFEE,10418; sid:775;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase; reference:MCAFEE,10540; sid:776;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|"; reference:MCAFEE,10467; sid:777;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|"; reference:MCAFEE,10461; sid:778;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase; reference:MCAFEE,10540; sid:779;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase; reference:MCAFEE,10540; sid:780;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase; reference:MCAFEE,10540; sid:781;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase; reference:MCAFEE,10540; sid:782;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase; reference:MCAFEE,10540; sid:783;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase; reference:MCAFEE,10540; sid:784;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase; reference:MCAFEE,10540; sid:785;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase; reference:MCAFEE,10540; sid:786;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase; reference:MCAFEE,10540; sid:787;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase; reference:MCAFEE,10540; sid:788;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase; reference:MCAFEE,1054; sid:789;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|"; sid:790;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase; reference:MCAFEE,10540; sid:791;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase; reference:MCAFEE,98661; sid:792;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Mail .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase; sid:793;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"Explorer.doc\""; nocase; reference:MCAFEE,98661; sid:794;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase; sid:795;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase; sid:796;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase; sid:798;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase; reference:MCAFEE,98674; sid:799;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase; reference:MCAFEE,98661; sid:800;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase; sid:801;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|"; reference:MCAFEE,10450; sid:802;  classtype:misc-activity; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; flow:to_server,established; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:2;)