alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007920; rev:2;)

Added 2008-03-12 11:11:29 UTC

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007920; rev:2;)

Added 2008-03-12 11:11:29 UTC

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007920; rev:2;)

Added 2008-03-12 11:07:11 UTC

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007920; rev:2;)

Added 2008-03-12 11:07:11 UTC

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; content:"|32 31 0d 0a|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007920; rev:1;)

Added 2008-03-05 12:58:53 UTC

See TrojanDropper497

-- MattJonkman - 05 Mar 2008