2002970 < Main < EmergingThreats

EmergingThreats>

Main Web>2002970 (2007-07-27, MattJonkman)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:7;)

Added 2008-05-09 17:01:40 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:7;)

Added 2008-05-09 17:01:40 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:6;)

Added 2008-02-01 14:32:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:6;)

Added 2008-02-01 14:32:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:5;)

Added 2008-01-28 17:24:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:5;)

Added 2008-01-28 17:24:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:4;)

Added 2007-07-27 03:31:17 UTC

Negating avert labs false positive

-- MattJonkman - 27 Jul 2007

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; classtype:trojan-activity; sid:2002970; rev:3;)

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions

Topic revision: r2 - 2007-07-27 - MattJonkman

Main

Log In

User Reference
ATasteOfTWiki
TextFormattingRules

Signature Reference
WebRss Feed
EmergingFAQ

Copyright © Emerging Threats