Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Mumu

Are there any plans to create a signature for the new Mumu worm?

Also, does anybody have any data about creating a custom sig that would capture the worm's traffic?

Thanks.

1 REPLY
Bronze

Re: Mumu

We generally don't write signatures these types of worms because they mutate so fast. However, 4.0 sensors should catch infected hosts with signature 3320 "SMB: ADMIN$ hidden share access attempt". This is a 4.0 only signature. You would see an infected host as the source for many of these alarms. Because the worm tries to bruteforce passwords, signature 6255 "SMB Authorization Failure" may also fire.

90
Views
0
Helpful
1
Replies
CreatePlease to create content