alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mydoom.O@mm HTTP Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"&kgs=0&kls=0&nbq="; classtype:trojan-activity; sid:2008844; rev:1;)

Added 2008-12-03 17:49:56 UTC

This seems to go off for www.altavista.com requests which point to a yahoo DNS entry. 72.30.186.25 is the host I got

     GET /web/results/?q=query.&kgs=0&kls=0&nbq=25&stq=50 

The uricontent parameters align with the default search terms.

-- ChrisGreen - 08 Jan 2009

Thanks for the report. I've removed the sig. There's no real better way to put it, and the trojan is faded away anyway. Thanks for the report!!

-- MattJonkman - 09 Jan 2009

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

---