Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1294 |
| Message | NETBIOS nimda .nws |
| Summary | This event is generated when traffic indicating Nimda worm activity is detected. |
| Impact | Possible infection by the Nimda virus. |
| Detailed Information | Nimda spreads by file infection, mass emailer, file share, or IIS unicode exploit to attack unpatched systems. |
| Affected Systems | Windows 95 Windows 98 Windows ME Windows 2000 |
| Attack Scenarios | An unpatched server is connected to the internet and is infected or an infected email is opened. Once infected the worm spreads itself. |
| Ease of Attack | Simple |
| Corrective Action | Check the suspect host for signs of infection. Apply patches or upgrade the operating system |
| Additional References | Microsoft: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp F-Secure: http://www.f-secure.com/v-descs/nimda.shtml |
| Rule References | url: www.f-secure.com/v-descs/nimda.shtml |
--
DID:145805
--
http://www.aanval.com/