alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)
Added 2009-02-09 21:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)
Added 2009-02-09 21:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)
Added 2009-02-09 21:29:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)
Added 2009-02-09 21:29:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:7;)
Added 2008-05-09 17:01:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:7;)
Added 2008-05-09 17:01:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:6;)
Added 2008-02-01 14:32:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:6;)
Added 2008-02-01 14:32:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:5;)
Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:5;)
Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:4;)
Added 2007-07-27 03:31:17 UTC
Negating avert labs false positive
--
MattJonkman - 27 Jul 2007
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VB
WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; classtype:trojan-activity; sid:2002970; rev:3;)