Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:720 |
| Message | Virus - SnowWhite Trojan Incoming |
| Summary | This event is generated when email is received from a Post Office Protocol (POP) server that may contain an attachment with the Snow White worm. |
| Impact | Possible system compromise. The worm can alter system files and registry key settings. |
| Detailed Information | The Snow White worm, also known as Hybris, may contain text with a unique misspelling of "Suddlently". This worm attempts to write to the wsock32.dll library. It may also attempt to alter registry key settings. |
| Affected Systems | Microsoft Win32 systems. |
| Attack Scenarios | The worm is spread by e-mail and attempts to infect other hosts when a user opens the e-mail attachment. |
| Ease of Attack | Simple |
| Corrective Action | Make sure that the suspected infected host has the most current anti-virus software. Run a virus scan on the suspected infected host. |
| Additional References | F-Secure: http://www.f-secure.com/v-descs/hybris.shtml |
--
DID:591552
--
http://www.aanval.com/