I submitted a TAC Case on this issue and was told by the engineer that contacted me that Cisco has no plans to add a specific signature to capture the BugBear virus. Three days later they released Signature Update 3.1(3)S33. Below is a description of the signature in question from the Cisco Alert.
"Signature 9023 has been added to address the backdoor created by the
W32.Bugbear worm. The signature will fire if a SYN packet is detected destined for TCP port 36794. Any activity on this port may indicate an attacker accessing the Bugbear backdoor. This signature is disabled by default. You can only apply this signature update to IDS-42xx and NRS-xx series Cisco Intrusion Detection System (IDS) sensors. It is not compatible with the WS-X6381-IDS series Intrusion Detection System Module (IDSM). "
Note that this signature is disabled by default (all action codes are set to "0" in packetd.conf), therfore set the action codes to a value higher than 0 and higher than your MinContextLevel to see attempts to access the backdoor port by BugBear.
Here is an example signature converted from a proposed Snort signature that supposedly fires on the Bugbear worm. It has not been tested. Nor will it be supported or included in a signature update. It may false positive and cause a performance hit on your sensors.
Also, we did release a signature for the BugBear backdoor port in S33. It was a miscommunication that we would not create a signature for that. However, we do not generally write signatures for email born virues like BugBear itself. We believe that anti-virus is the best solution for mitigating these kinds of problems.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :