I'm getting hit with this worm and these boxes were compromised. The only way my 4230 (w/ latest sig update installed) alarms is when one of these boxes are used to scan (using Xscan and Dameware) the internet (actually *.edu domains to be specific) for more vulnerable hosts. Various trojan sigs are lit up at this point. Is there a specific signature to detect this worm when it is coming into my network? Thanks for any help.
I looked into this, and the only information that I found was about a trojan program that installed a IRC client on the victim's system that could be used as a backdoor / DDoS client. I didn't see anything about worm-like activity though. Do you have any links to information? You might want to setup a connection signature for port 6667 to catch any IRC connection and filter it for external addresses as the source.
I'm sorry, you are correct that it is a trojan and NOT a worm. I have been catching compromised boxes when they alarm on the various 9000's sigs and also my custom 20000's sigs. These sigs includes most backdoor and trojan ports.
What I would like to know if anyone has developed a sig that does string(s) matching and what are those string(s)?
Here are some good description of these XDCC bots. Although, I have found many variants not described in these articles but they use the some of the same exe like kill.exe:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :