Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

3111 "W32 Sircam Malicious Code"

Since we updated sensors to S7, we often see alarms

triggerd by the signature 3111 "W32 Sircam Malicious

Code". All of the alarms have the same context as

follows:

kAZAAgAGYAbABvAGEAdABpAG4AZwAgAHAAbwBpAG4AdAAgAG8AcABlAHIAYQB0AGkA

bwBuAB8ARgBsAG8AYQB0AGkAbgBnACAAcABvAGkAbgB0ACAAZABpAHYAaQBzAGkAbwBuACAA

YgB5ACAAegBlAHIAbwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJj1POMKC

N7jzJEIDF5s6gwEAAMwAAAAAGQAAAAGgU0NhbTMy

I would like to know why the 3111 signature's alarms

are triggered and have the above strings in its

context.

Thanks.

1 REPLY
New Member

Re: 3111 "W32 Sircam Malicious Code"

The signature looks for a binary file attachment of the SirCam virus. The virus binary contains Scam32 in it, which when attached gets mime encoded and the string U0NhbTMy is the mime encoding of it. Please check the kind of attachments you are getting.

122
Views
0
Helpful
1
Replies
CreatePlease to create content