alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV? HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer|0d 0a|"; nocase; uricontent:"loads2.php?r="; nocase; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]+/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010598; rev:2;)

Added 2009-12-29 10:00:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV? HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer|0d 0a|"; nocase; uricontent:"loads2.php?r="; nocase; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]+/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010598; rev:2;)

Added 2009-12-29 09:58:48 UTC


Topic revision: r1 - 2009-12-29 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats