Cluster details: [WORM] Conficker/Downadup activity (445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase

Name:	[WORM] Conficker/Downadup activity (445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase
Date:	2009-01-18 18:30:24
Classification Level:	Attack
Core:	[WORM] Conficker/Downadup activity (445/TCP, "NT LM 0.12", MS08-067) - SMB negotiation phase
Ports:	445/TCP
Unique Sip:	4473
Signature size:	118
Super signature:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"[WORM] Conficker/Downadup activity (445/TCP, "NT \ LM 0.12", MS08-067) - SMB negotiation phase"; flow:to_server,established; content:"|00 00 00|/|ff|SM\ Br|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|\\|02 00 00 00 00 00 0c 00 02|NT L\ M 0.12|00 00 00 00|I|ff|SMBs|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|\\|02 00\ 00 00 00 0d ff 00 00 00 ff ff 02 00|\\|02 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0b 00 00 \ 00|";)