alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; reference:url,anubis.iseclab.org/?action=result&task_id=138559df2a6ed04a401366a9c60e2e1cf&format=txt; classtype:bad-unknown; sid:2012908; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

Added 2017-08-07 21:06:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; reference:url,anubis.iseclab.org/?action=result&task_id=138559df2a6ed04a401366a9c60e2e1cf&format=txt; classtype:bad-unknown; sid:2012908; rev:2;)

Added 2011-10-12 19:35:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; classtype:bad-unknown; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; reference:url,anubis.iseclab.org/?action=result&task_id=138559df2a6ed04a401366a9c60e2e1cf&format=txt; sid:2012908; rev:2;)

Added 2011-05-31 15:33:09 UTC

Observed request/response payload:

GET /l.php?v=0.08&id=483854819&wv=6.0.2900.5512 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: dfngdrtjj-ltd.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 28 Feb 2011 10:28:07 GMT
Server: Apache/2.2.17 (Win32) PHP/5.3.5
X-Powered-By: PHP/5.3.5
Content-Length: 20
Content-Type: text/html

<;<>;>==gCEV0SS90V<<;>>;

String in this response is base64 encoded string "WORKED", reversed.

See also 2012909.

-- DarrenSpruell - 01 Jun 2011


Topic revision: r2 - 2011-06-01 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats