alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;) Added 2018-09-13 19:39:16 UTC
Added 2018-09-13 17:53:32 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;) Added 2017-10-30 18:17:27 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;) Added 2017-10-30 16:39:36 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2017-08-07 21:00:51 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:7;) Added 2011-10-12 19:23:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; sid:2007594; rev:7;) Added 2011-09-14 22:36:57 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:7;) Added 2011-02-04 17:26:42 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;) Added 2009-09-25 14:00:37 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;) Added 2009-09-25 14:00:37 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;) Added 2009-02-12 18:21:15 UTC FPs on Symantec live updates
GET /streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip HTTP/1.1.. If-Modified-Since: Mon, 30 Mar 2009 00:14:34 GMT.. Cache-control: max-age=0.. Cache-Control: no-cache.. Cache-Control: max-stale=0.. Cache-Control: min-fresh=1000.. Accept: */*.. HOST: liveupdate.symantecliveupdate.com.. User-Agent: MzHRU1zAfcV0V14ymFccsIBLq1Iqg/QSQAAAAALUE.. Connection: Keep-Alive....-- RussellFulton - 31 Mar 2009
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;) Added 2009-02-12 18:21:15 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:3;) Added 2008-07-14 10:00:22 UTC This sig can get false positives at times from Symantec Updates. They tend to use a random string in the User-Agent field that can sometimes start with an Mz. These should be rare. Real hits will be like "User-Agent: Mz\r\n" or "User-Agent: MzApp?\r\n" or "User-Agent: MzLoader?\r\n" -- MattJonkman - 25 Aug 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:2;) Added 2008-01-31 10:12:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:1;) Added 2007-09-03 13:16:46 UTC
Topic revision: r4 - 2009-03-31 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats