alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; flowbits:isnotset,ET.Maas.Site.Download; flowbits:isnotset,ET.Mcafee.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:23; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_09_01;)
Added 2020-09-01 18:11:21 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; flowbits:isnotset,ET.Maas.Site.Download; flowbits:isnotset,ET.Mcafee.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:23; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2019_09_05;)
Added 2020-08-05 19:05:24 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; flowbits:isnotset,ET.Maas.Site.Download; flowbits:isnotset,ET.Mcafee.Site.Download; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:23; metadata:created_at 2010_07_30, updated_at 2019_09_05;)
Added 2019-09-05 19:11:52 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; flowbits:isnotset,ET.Maas.Site.Download; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:22; metadata:created_at 2010_07_30, updated_at 2019_01_02;)
Added 2019-01-02 18:47:23 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:21; metadata:created_at 2010_07_30, updated_at 2018_11_28;)
Added 2018-11-28 18:39:53 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http_content_type; content:"text/plain"; nocase; file_data; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; metadata: former_category INFO; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:20; metadata:created_at 2010_07_30, updated_at 2017_12_21;)
Added 2018-09-13 19:39:55 UTC
Added 2018-09-13 17:53:53 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http_content_type; content:"text/plain"; nocase; file_data; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; metadata: former_category INFO; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:20; metadata:created_at 2010_07_30, updated_at 2017_12_21;)
Added 2017-12-21 16:30:36 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:18; metadata:created_at 2010_07_30, updated_at 2016_12_06;)
Added 2017-08-07 21:01:36 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:18;)
Added 2016-12-07 16:49:15 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:18;)
Added 2016-12-06 17:44:54 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:17;)
Added 2016-08-16 18:12:33 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:16;)
Added 2016-08-09 18:48:34 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:15;)
Added 2016-05-11 17:35:56 UTC
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:14;)
Added 2015-12-18 15:29:25 UTC
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:7;)
Added 2013-08-06 19:57:58 UTC
False positive from
http://platformdl.adobe.com/SSN/AIH/meta/reader11_en_11003.solidpkg which is used during Adobe reader update.
--
JedLaundry - 2013-09-16
False positive on updates from NVIDIA.
--
RyPeck - 2014-04-11
Thanks Ryan. Would you happen to know if this occurred via their website or through their
GeForce? Experience tool? Thanks!
--
DarienH - 2014-04-14
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:6;)
Added 2012-08-07 18:51:57 UTC
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:4;)
Added 2012-03-07 18:45:00 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:3;)
Added 2011-10-12 19:25:08 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; sid:2008438; rev:3;)
Added 2011-09-14 22:38:35 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;)
Added 2011-02-04 17:27:37 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;)
Added 2009-09-14 17:00:37 UTC
Looks like this is triggering a false positive on a "superantispyware.com" update of some type. Seemingly legit .exe download using a "Content-Type: text/plain". Poor practice on their end?
--
IanR - 12 Oct 2010
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;)
Added 2009-09-14 17:00:37 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;)
Added 2009-09-14 16:59:37 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;)
Added 2009-09-14 16:59:37 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established; content:"Content-Type\: text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:2;)
Added 2009-02-08 17:30:23 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established; content:"Content-Type\: text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:2;)
Added 2009-02-08 17:30:23 UTC
alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established; content:"Content-Type\: text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; sid:2008438; rev:1;)
Added 2008-07-17 17:00:22 UTC