#alert tcp any any -> any 1024:65535 (msg:"BLEEDING-EDGE WORM Possible MS05-039
PnP? worm infection"; flow:established,to_server; content:"get winpnp.exe"; depth:200; nocase; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:trojan-activity; sid:2002185; rev:3;)