alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"Mz"; http_user_agent; depth:2; isdataat:!1,relative; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:11; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
Added 2020-10-16 18:22:54 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"Mz"; http_user_agent; depth:2; isdataat:!1,relative; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:11; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_10_11;)
Added 2020-08-05 19:05:02 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"Mz"; http_user_agent; depth:2; isdataat:!1,relative; metadata: former_category USER_AGENTS; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:11; metadata:created_at 2010_07_30, updated_at 2019_10_11;)
Added 2019-10-11 19:56:22 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;)
Added 2018-09-13 19:39:16 UTC
Added 2018-09-13 17:53:32 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;)
Added 2017-10-30 18:17:27 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;)
Added 2017-10-30 16:39:36 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 21:00:51 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:7;)
Added 2011-10-12 19:23:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; sid:2007594; rev:7;)
Added 2011-09-14 22:36:57 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:7;)
Added 2011-02-04 17:26:42 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;)
Added 2009-09-25 14:00:37 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;)
Added 2009-09-25 14:00:37 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;)
Added 2009-02-12 18:21:15 UTC
FPs on Symantec live updates
GET /streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip HTTP/1.1..
If-Modified-Since: Mon, 30 Mar 2009 00:14:34 GMT..
Cache-control: max-age=0..
Cache-Control: no-cache..
Cache-Control: max-stale=0..
Cache-Control: min-fresh=1000..
Accept: */*..
HOST: liveupdate.symantecliveupdate.com..
User-Agent: MzHRU1zAfcV0V14ymFccsIBLq1Iqg/QSQAAAAALUE..
Connection: Keep-Alive....
--
RussellFulton - 31 Mar 2009
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;)
Added 2009-02-12 18:21:15 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:3;)
Added 2008-07-14 10:00:22 UTC
This sig can get false positives at times from Symantec Updates. They tend to use a random string in the User-Agent field that can sometimes start with an Mz. These should be rare.
Real hits will be like "User-Agent: Mz\r\n" or "User-Agent:
MzApp?\r\n" or "User-Agent:
MzLoader?\r\n"
--
MattJonkman - 25 Aug 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (
MzApp?)"; flow:established,to_server; content:"User-Agent\:
MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:2;)
Added 2008-01-31 10:12:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (
MzApp?)"; flow:established,to_server; content:"User-Agent\:
MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:1;)
Added 2007-09-03 13:16:46 UTC