Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Deja Vu - Snow.A SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Deja Vu - Snow.A
Notable behavior - "drops and install WinPcap network drivers", "flood network with spoofed arp packets (arp poisoning) " and "appends its code to all .EXE files in all drives, including mapped network drives and removable disks. Thus, it is able to propagate via the network and removable drives, such as flash drives and floppy disks."

Other - "first attempts to infect files which are running processes", "its main .EXE component respawns when it is terminated, making termination more difficult."

W32/Snow.a
http://vil.nai.com/vil/content/v_138727.htm

PE_SNOW.A

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_SNOW.A

Lorna

165 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!