alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Proxy.Win32.Wopla.ag Check-In"; flow:established,to_server; content:"|0a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; classtype:trojan-activity; sid:2007603; rev:1;)

Added 2007-09-06 01:49:00 UTC

Possible FP when desktop replies with CEIP message back to MS ?? Partial Packet capture follows:

---

Event ID : 3:1:2051713 Timestamp : 9/27/2007 7:59:17 AM Event Name : BLEEDING-EDGE TROJAN Proxy.Win32.Wopla.ag Check-In Classification : trojan-activity

IP Header Information : IPv4: 000.000.000.000 -> 131.107.113.76 Source: Local Tech's Desktop -> sqm.msn.com hlen=5 TOS=0 dlen=1172 ID=7303 flags=2 offset=0 TTL=127 chksum=43777

TCP Header Information : sport=1320 -> dport=80 flags=***AP*** seq=4000293484 ack=2468127061 off=5 res=0 win=65535 urp=0 chksum=64373 Options:

Packet Payload: 0A 00 00 00 00 00 00 00 00 00 00 00 D3 C5 00 00 ............??.. 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ 28 CE 00 00 00 00 00 00 04 00 00 00 00 00 00 00 (?.............. 00 00 00 00 36 CF 00 00 00 00 00 00 04 00 00 00 ....6?.......... 00 00 00 00 00 00 00 00 60 D4 00 00 00 00 00 00 ........`?...... 02 00 00 00 00 00 00 00 00 00 00 00 20 3A 01 00 ............ :.. 04 10 ED 0D 09 00 00 00 00 00 00 00 00 00 00 00 ..?............. 0B 6A 01 00 00 00 00 00 0A 00 00 00 00 00 00 00 .j.............. 00 00 00 00 8D 6A 01 00 00 00 00 00 02 00 00 00 ....?j.......... 00 00 00 00 00 00 00 00 D6 76 01 00 00 00 00 00 ........?v...... 0D 00 00 00 00 00 00 00 00 00 00 00 A5 D4 01 00 ............??..

-- RichardUllrich - 27 Sep 2007

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

---