Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:797 |
| Message | Virus - Possible Worm - jpg.vbs file |
| Summary | This rule has been placed in deleted.rules. It has been superceded by sid 721. |
| Impact | Mail worms may spread rapidly because users execute them. |
| Detailed Information | Windows systems are often configured not to display file extensions. By adding a second extension, users get confused and think that an executable is a picture - e.g. niceboy.jpg.vbs gets displayed as nicegboy.jpg but is a visual basic script and not a picture. |
| Affected Systems | |
| Attack Scenarios | Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. |
| Ease of Attack | Very easy. One needs to attach a file and hope that it gets executed. |
| Corrective Action | Use antivirus software. Configure mail clients securely, especially when using windows desktops. Educate your mail users. Deny all attachments at the gateway if you can. |
| Additional References | See websites of antivirus companies. |
--
DID:522683
--
http://www.aanval.com/