#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:20 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:9;)

Added 2012-08-07 18:51:57 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:8;)

Added 2012-03-07 18:44:58 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:7;)

Added 2011-10-12 19:10:03 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; sid:2001047; rev:7;)

Added 2011-09-15 14:46:28 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; sid:2001047; rev:7;)

Added 2011-09-14 20:43:09 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid:2001047; rev:6;)

Added 2011-02-04 17:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid:2001047; rev:6;)

Added 2010-06-28 22:46:58 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid:2001047; rev:6;)

Added 2010-06-28 22:46:58 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)

Added 2009-02-16 21:30:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)

Added 2009-02-16 21:30:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; sid: 2001047; rev:5;)

Added 2008-01-31 10:12:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; sid: 2001047; rev:5;)

Added 2008-01-31 10:12:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; sid: 2001047; rev:4; )



Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats