alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN FAKE/ROGUE AV using MS BITS to GET EXE"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/pcdef.exe"; nocase; content:"|0d 0a|User-Agent\: Microsoft BITS/6.6|0d 0a|"; nocase; classtype:trojan-activity; reference:url,67.97.80.71/vil/content/v_155899.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=4005213&cs=53F75BF0E217825FA3F31F7739C41290; reference:url,doc.emergingthreats.net/2009529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FakeAV; sid:2009529; rev:2;)

Added 2009-07-09 18:45:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN FAKE/ROGUE AV using MS BITS to GET EXE"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/pcdef.exe"; nocase; content:"|0d 0a|User-Agent\: Microsoft BITS/6.6|0d 0a|"; nocase; classtype:trojan-activity; reference:url,67.97.80.71/vil/content/v_155899.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=4005213&cs=53F75BF0E217825FA3F31F7739C41290; reference:url,doc.emergingthreats.net/2009529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FakeAV; sid:2009529; rev:2;)

Added 2009-07-09 18:45:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN FAKE/ROGUE AV using MS BITS to GET EXE"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/pcdef.exe"; nocase; content:"|0d 0a|User-Agent\: Microsoft BITS/6.6|0d 0a|"; nocase; classtype:trojan-activity; reference:url,67.97.80.71/vil/content/v_155899.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=4005213&cs=53F75BF0E217825FA3F31F7739C41290; sid:2009529; rev:1;)

Added 2009-07-09 13:37:47 UTC


Topic revision: r1 - 2009-07-09 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats