[Emerging-Sigs] Possible FPs for ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell) 2007840

Tue Apr 22 18:05:41 EDT 2008

This sig is matching "User-Agent: Shell.." from your pcap - it's an 
unusual UA string that's being flagged.

Given that, and the geographical location of the domain, I would say 
that nothing good can come of it......

CP

Russell Fulton wrote:
> I am seeing quite a few of these going to msnshell.com --- anyone know  
> any more about them other than that it is an addon of msn?  Main  
> website is in Chinese.
> 
> What nasty is this designed to catch?
> 
> Russell.
> 
> META	
> SID	CID	TimeStamp	Signature	Sig ID
> 6	13129661	2008-04-22 09:00:22	ET TROJAN Suspicious User-Agent -  
> Possible Trojan Downloader (Shell)	2007840
> Sensor Hostname	Sensor Interface
> monitor-dmzo.isec.auckland.ac.nz	dmz sensor
> IP	
> Source Address	Dest Address	Ver	Hdr Len	TOS	length	ID	flags	offset	TTL	 
> chksum
> 130.216.139.25	222.73.227.204	4	5	0	387	25657	2	0	125	51251
> Resolved Source	Resolved Dest
> l.luo.crl.auckland.ac.nz 	Could Not Resolve
> TCP	
> Source Port	Dest Port	Seq	Ack	Offset	Reserved	Flags	Window	Checksum	 
> Urgent Ptr
> 2269	80	1038878389	1434485931	5	0	24	64512	18120	0
> Options
> None
> Flags
> RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
> 			X 	X 			
> 
> 
> DATA	
> 
> GET /gol.htm?MV=8.5.1302.1018&SV=4.2.28.32&L=0804&M=huwei at wi
> ndowslive.com HTTP/1.1..User-Agent: Shell..Host: shell09.msn
> shell.com..Connection: Keep-Alive..Cache-Control: no-cache..
> Cookie: __utma=87997444.1690372949.1205887655.1205887655.120
> 5888005.2; __utmz=87997444.1205888005.2.2.utmccn=(organic)|u
> tmcsr=google|utmctr=msnshell|utmcmd=organic....
> 