EmergingThreats> Main Web>2007603 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Proxy.Win32.Wopla.ag Check-In"; flow:established,to_server; content:"|0a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; classtype:trojan-activity; sid:2007603; rev:1;)

Added 2007-09-06 01:49:00 UTC

Possible FP when desktop replies with CEIP message back to MS ?? Partial Packet capture follows:


Event ID : 3:1:2051713 Timestamp : 9/27/2007 7:59:17 AM Event Name : BLEEDING-EDGE TROJAN Proxy.Win32.Wopla.ag Check-In Classification : trojan-activity

IP Header Information : IPv4: 000.000.000.000 -> 131.107.113.76 Source: Local Tech's Desktop -> sqm.msn.com hlen=5 TOS=0 dlen=1172 ID=7303 flags=2 offset=0 TTL=127 chksum=43777

TCP Header Information : sport=1320 -> dport=80 flags=***AP*** seq=4000293484 ack=2468127061 off=5 res=0 win=65535 urp=0 chksum=64373 Options:

Packet Payload: 0A 00 00 00 00 00 00 00 00 00 00 00 D3 C5 00 00 ............??.. 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ 28 CE 00 00 00 00 00 00 04 00 00 00 00 00 00 00 (?.............. 00 00 00 00 36 CF 00 00 00 00 00 00 04 00 00 00 ....6?.......... 00 00 00 00 00 00 00 00 60 D4 00 00 00 00 00 00 ........`?...... 02 00 00 00 00 00 00 00 00 00 00 00 20 3A 01 00 ............ :.. 04 10 ED 0D 09 00 00 00 00 00 00 00 00 00 00 00 ..?............. 0B 6A 01 00 00 00 00 00 0A 00 00 00 00 00 00 00 .j.............. 00 00 00 00 8D 6A 01 00 00 00 00 00 02 00 00 00 ....?j.......... 00 00 00 00 00 00 00 00 D6 76 01 00 00 00 00 00 ........?v...... 0D 00 00 00 00 00 00 00 00 00 00 00 A5 D4 01 00 ............??..

-- RichardUllrich - 27 Sep 2007


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-09-27 - RichardUllrich
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats