×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

3111 "W32 Sircam Malicious Code"

Unanswered Question
Oct 5th, 2001
User Badges:

Since we updated sensors to S7, we often see alarms

triggerd by the signature 3111 "W32 Sircam Malicious

Code". All of the alarms have the same context as

follows:


kAZAAgAGYAbABvAGEAdABpAG4AZwAgAHAAbwBpAG4AdAAgAG8AcABlAHIAYQB0AGkA

bwBuAB8ARgBsAG8AYQB0AGkAbgBnACAAcABvAGkAbgB0ACAAZABpAHYAaQBzAGkAbwBuACAA

YgB5ACAAegBlAHIAbwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJj1POMKC

N7jzJEIDF5s6gwEAAMwAAAAAGQAAAAGgU0NhbTMy


I would like to know why the 3111 signature's alarms

are triggered and have the above strings in its

context.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rdhamank Fri, 10/05/2001 - 07:49
User Badges:

The signature looks for a binary file attachment of the SirCam virus. The virus binary contains Scam32 in it, which when attached gets mime encoded and the string U0NhbTMy is the mime encoding of it. Please check the kind of attachments you are getting.


Actions

This Discussion