alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQHelper Related User-Agent Infection Checkin"; flow:established,to_server; content:"|35 70|User-Agent\: "; nocase; pcre:"/\x35\x70User-Agent\: [a-zA-Z0-9]{115}/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_QQHelper; sid:2006415; rev:4;)
Added 2009-02-13 19:30:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQHelper Related User-Agent Infection Checkin"; flow:established,to_server; content:"|35 70|User-Agent\: "; nocase; pcre:"/\x35\x70User-Agent\: [a-zA-Z0-9]{115}/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_QQHelper; sid:2006415; rev:4;)
Added 2009-02-13 19:30:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQHelper Related User-Agent Infection Checkin"; flow:established,to_server; content:"|35 70|User-Agent\: "; nocase; pcre:"/\x35\x70User-Agent\: [a-zA-Z0-9]{115}/"; classtype:trojan-activity; sid:2006415; rev:3;)
Added 2008-06-06 20:49:01 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQHelper Related User-Agent Infection Checkin"; flow:established,to_server; content:"|35 70|User-Agent\: "; nocase; pcre:"/\x35\x70User-Agent\: [a-zA-Z0-9]{115}/"; classtype:trojan-activity; sid:2006415; rev:3;)
Added 2008-06-06 20:49:01 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQHelper Related User-Agent -- Infection Checkin"; flow:established,to_server; content:"|35 70|User-Agent\: "; nocase; pcre:"/\x35\x70User-Agent\: [a-zA-Z0-9]{115}/"; classtype:trojan-activity; sid:2006415; rev:2;)
Added 2008-01-31 10:12:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQHelper Related User-Agent -- Infection Checkin"; flow:established,to_server; content:"|35 70|User-Agent\: "; nocase; pcre:"/\x35\x70User-Agent\: [a-zA-Z0-9]{115}/"; classtype:trojan-activity; sid:2006415; rev:2;)
Added 2008-01-31 10:12:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN QQHelper Related User-Agent -- Infection Checkin"; flow:established,to_server; content:"|35 70|User-Agent\: "; nocase; pcre:"/\x35\x70User-Agent\: [a-zA-Z0-9]{115}/"; classtype:trojan-activity; sid:2006415; rev:1;)
Added 2007-07-20 02:45:36 UTC
From the Sandnet Analysis:
http://www.sophos.com/security/analyses/qqhelper.html
--
ShirkDog? - 23 Aug 2007