alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
Added 2020-08-13 17:50:08 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2017_10_30;)
Added 2020-08-05 19:01:48 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)
Added 2019-10-09 19:08:39 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)
Added 2017-10-30 18:17:25 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)
Added 2017-10-30 16:39:34 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)
Added 2017-08-07 20:56:40 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:11;)
Added 2017-05-12 14:59:42 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:10;)
Added 2012-07-16 19:40:05 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:9;)
Added 2011-10-12 19:13:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; sid:2003380; rev:9;)
Added 2011-09-14 22:26:19 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:9;)
Added 2011-02-04 17:22:26 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)
Added 2010-05-07 15:01:04 UTC
Reference:
http://www.threatexpert.com/report.aspx?md5=81f97ba5517e0a2b7d1336d7233bb0ea
matches observed url exactly....
--
RussellFulton - 28 Jun 2010
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)
Added 2010-05-07 15:01:04 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)
Added 2010-05-07 14:59:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)
Added 2010-05-07 14:59:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:100; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:5;)
Added 2010-03-08 23:15:50 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:100; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:5;)
Added 2010-03-08 23:15:50 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:4;)
Added 2009-02-12 18:21:15 UTC
08:25:34.680965 IP 192.168.1.111.1260 > 195.2.253.233.80: P 3305639177:3305639395(218) ack 1394353960 win 17640
0x0000: 4500 0102 295f 4000 8006 4d93 c0a8 016f E...)_@...M....o
0x0010: c302 fde9 04ec 0050 c508 0d09 531c 2728 .......P....S.'(
0x0020: 5018 44e8 4239 0000 4745 5420 2f70 726f P.D.B9..GET./pro
0x0030: 6773 2f72 6f79 796c 2f66 6370 7064 646d gs/royyl/fcppddm
0x0040: 612e 7068 703f 6164 763d 6164 7634 3738 a.php?adv=adv478
0x0050: 2048 5454 502f 312e 310d 0a55 7365 722d .HTTP/1.1..User-
0x0060: 4167 656e 743a 204d 6f7a 696c 6c61 2f34 Agent:.Mozilla/4
0x0070: 2e30 2028 636f 6d70 6174 6962 6c65 3b20 .0.(compatible;.
0x0080: 4d53 4945 2037 2e30 3b20 5769 6e64 6f77 MSIE.7.0;.Window
0x0090: 7320 4e54 2035 2e31 3b20 2e4e 4554 2043 s.NT.5.1;..NET.C
0x00a0: 4c52 2031 2e31 2e34 3332 323b 202e 4e45 LR.1.1.4322;..NE
0x00b0: 5420 434c 5220 322e 302e 3530 3732 373b T.CLR.2.0.50727;
0x00c0: 202e 4e45 5420 434c 5220 332e 302e 3034 ..NET.CLR.3.0.04
0x00d0: 3530 362e 3330 3b20 496e 666f 5061 7468 506.30;.InfoPath
0x00e0: 2e32 2976 6572 3333 0d0a 486f 7374 3a20 .2)ver33..Host:.
0x00f0: 6162 6b7a 6664 696c 6b6f 2e63 6f6d 0d0a abkzfdilko.com..
0x0100: 0d0a ..
--
JackPepper - 11 May 2009
08:25:36.676987 00:18:de:d5:29:9a > 00:17:95:14:4c:e5, ethertype IPv4 (0x0800), length 261: 192.168.1.111.1263 > 195.2.253.237.80: P 2462767555:2462767762(207) ack 1431489453 win 17640
0x0000: 4500 00f7 2978 4000 8006 4d81 c0a8 016f E...)x@...M....o
0x0010: c302 fded 04ef 0050 92ca d9c3 5552 cbad .......P....UR..
0x0020: 5018 44e8 ace6 0000 4745 5420 2f70 726f P.D.....GET./pro
0x0030: 6773 2f72 6f79 796c 2f67 6763 7171 6464 gs/royyl/ggcqqdd
0x0040: 652e 7068 7020 4854 5450 2f31 2e31 0d0a e.php.HTTP/1.1..
0x0050: 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi
0x0060: 6c6c 612f 342e 3020 2863 6f6d 7061 7469 lla/4.0.(compati
0x0070: 626c 653b 204d 5349 4520 372e 303b 2057 ble;.MSIE.7.0;.W
0x0080: 696e 646f 7773 204e 5420 352e 313b 202e indows.NT.5.1;..
0x0090: 4e45 5420 434c 5220 312e 312e 3433 3232 NET.CLR.1.1.4322
0x00a0: 3b20 2e4e 4554 2043 4c52 2032 2e30 2e35 ;..NET.CLR.2.0.5
0x00b0: 3037 3237 3b20 2e4e 4554 2043 4c52 2033 0727;..NET.CLR.3
0x00c0: 2e30 2e30 3435 3036 2e33 303b 2049 6e66 .0.04506.30;.Inf
0x00d0: 6f50 6174 682e 3229 7665 7233 330d 0a48 oPath.2)ver33..H
0x00e0: 6f73 743a 2062 6261 747a 6b76 6668 612e ost:.bbatzkvfha.
0x00f0: 6e65 740d 0a0d 0a net....
08:25:37.840344 00:18:de:d5:29:9a > 00:17:95:14:4c:e5, ethertype IPv4 (0x0800), length 258: 192.168.1.111.1264 > 195.2.253.237.80: P 2773256035:2773256239(204) ack 2866380504 win 17640
0x0000: 4500 00f4 2987 4000 8006 4d75 c0a8 016f E...).@...Mu...o
0x0010: c302 fded 04f0 0050 a54c 8763 aad9 7ed8 .......P.L.c..~.
0x0020: 5018 44e8 210b 0000 4745 5420 2f70 726f P.D.!...GET./pro
0x0030: 6773 2f72 6f79 796c 2f6b 7164 646a 2e70 gs/royyl/kqddj.p
0x0040: 6870 2048 5454 502f 312e 310d 0a55 7365 hp.HTTP/1.1..Use
0x0050: 722d 4167 656e 743a 204d 6f7a 696c 6c61 r-Agent:.Mozilla
0x0060: 2f34 2e30 2028 636f 6d70 6174 6962 6c65 /4.0.(compatible
0x0070: 3b20 4d53 4945 2037 2e30 3b20 5769 6e64 ;.MSIE.7.0;.Wind
0x0080: 6f77 7320 4e54 2035 2e31 3b20 2e4e 4554 ows.NT.5.1;..NET
0x0090: 2043 4c52 2031 2e31 2e34 3332 323b 202e .CLR.1.1.4322;..
0x00a0: 4e45 5420 434c 5220 322e 302e 3530 3732 NET.CLR.2.0.5072
0x00b0: 373b 202e 4e45 5420 434c 5220 332e 302e 7;..NET.CLR.3.0.
0x00c0: 3034 3530 362e 3330 3b20 496e 666f 5061 04506.30;.InfoPa
0x00d0: 7468 2e32 2976 6572 3333 0d0a 486f 7374 th.2)ver33..Host
0x00e0: 3a20 6262 6174 7a6b 7666 6861 2e6e 6574 :.bbatzkvfha.net
0x00f0: 0d0a 0d0a ....
--
JackPepper - 11 May 2009
In each of the above cases, the victim host downloaded a packed exe.
--
JackPepper - 11 May 2009
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:4;)
Added 2009-02-12 18:21:15 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:3;)
Added 2008-01-31 10:12:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:3;)
Added 2008-01-31 10:12:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:2;)
Added 2007-05-21 09:15:26 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:1;)