alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:trojan-activity; sid:2002348; rev:4;)

Added 2011-10-12 19:11:30 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; sid:2002348; rev:4;)

Added 2011-09-14 21:36:45 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002348; rev:4;)

Added 2011-02-04 17:21:48 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002348; rev:3;)

Added 2009-02-10 20:45:24 UTC

Forensics of computer that fired this alert revealed "Coupon Printer for Windows" installed. SpyBot? Reports:

Company: Coupons, Inc. Product: Coupon Bar Threat: Adaware Company product URL: http://www.coupons.com/ Company privacy URL: www.coupons.com/corp/source/u_privacypolicy.asp?vf=y Functionality: Install a tool which provides "Over $100 in printable coupons right from your browser. Keep informed of the latest offers. Contains no adware or spyware. Coupons from companies like General Mills, Kimberly Clark, Nestle, and Johnson & Johnson."

Description: The downloaded file installs a toolbar and a Browser helper object (BHO). The BHO connects to coupons.com at every Internet Explorer startup in order to download latest updates. The toolbar displays bonus vouchers which can be printed or used online. When uninstalled, nearly all the files and registry entries remain on the system

Privacy Statement: Coupons, Inc. uses the information that we collect to operate, maintain, and provide to you all of the coupons and promotional offerings found on the Sites and for other non-marketing or administrative purposes such as notifying you of major service updates or for customer service purposes.

Coupons, Inc. uses all of the information that we collect from our Consumers to understand the usage trends and preferences, to improve the way the Sites work and look, to improve our marketing and promotional efforts, and to create new features and functionality.

Coupons, Inc. uses "automatically collected" data to (a) process and record coupon printing and redemption activity; (b) store information so that you will not have to re-enter it during your visit or the next time you use the Sites; (c) provide custom, personalized coupon promotions, advertisements, content, and information; (d) monitor the effectiveness of marketing campaigns; and (e) monitor aggregate usage metrics such as total number of visitors and pages viewed. [...]

Coupons, Inc. discloses "automatically collected" data (such as coupon print and redeem activity) to its Clients and third-party ad servers and advertisers. These third parties may match this data with information that they have previously collected about you under their own privacy policies, which you should consult on a regular basis..

-- TimLefler - 24 Jun 2009

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002348; rev:3;)

Added 2009-02-10 20:45:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; sid:2002348; rev:2;)

Added 2008-01-28 17:24:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; sid:2002348; rev:2;)

Added 2008-01-28 17:24:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; sid:2002348; rev:1;)