Cluster details: [WORM] Conficker/Downadup activity (139/445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase

Name:	[WORM] Conficker/Downadup activity (139/445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase
Date:	2008-11-21 05:30:14
Classification Level:	Attack
Core:	[WORM] Conficker/Downadup activity (139/445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase
Ports:	139/TCP , 445/TCP
Unique Sip:	16210
Signature size:	39
Super signature:
alert tcp $EXTERNAL_NET any -> $HOME_NET 139,445 (msg:"[WORM] Conficker/Downadup activity (139/445/T\ CP, "NT LM 0.12", MS08-067) - SMB negotiation phase"; flow:to_server,established; content:"/|ff|SMBr\ |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|\\|02 00 00 00 00 00 0c 00 02|NT";)