alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:3;)

Added 2008-07-14 10:00:22 UTC

This sig can get false positives at times from Symantec Updates. They tend to use a random string in the User-Agent field that can sometimes start with an Mz. These should be rare.

Real hits will be like "User-Agent: Mz\r\n" or "User-Agent: MzApp?\r\n" or "User-Agent: MzLoader?\r\n"

-- MattJonkman - 25 Aug 2008

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:2;)

Added 2008-01-31 10:12:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:1;)

Added 2007-09-03 13:16:46 UTC