[Emerging-Sigs] Possible FPs for ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell) 2007840
Blake Hartstein
urule99 at gmail.com
Tue Apr 22 18:31:28 EDT 2008
I'm still not convinced its malicious traffic, although it is
suspicious. It might just be a user with an msn extension from msnshell,
which does happen to have at least some Chinese influence.
According to http://www.pcprocesses.org/8653-process-msnshell.html, this
software has a 39% harmfulness rating, whatever that means.
MSN Shell is a new patch or extension with diverse functions extra for
MSN Messenger. What can you do with MSN Shell? You will be able to make
a backup of your winks, emoticon’s, ups and downs, configuration POP3
for the mail, occult the program so that nobody can accede to your
Messenger without your permission, direct access to several finders of
Internet.
According to
http://software-news-free.blogspot.com/2008/03/msnshell-422832.html
Blake
CunningPike wrote:
> This sig is matching "User-Agent: Shell.." from your pcap - it's an
> unusual UA string that's being flagged.
>
> Given that, and the geographical location of the domain, I would say
> that nothing good can come of it......
>
> CP
>
> Russell Fulton wrote:
>
>> I am seeing quite a few of these going to msnshell.com --- anyone know
>> any more about them other than that it is an addon of msn? Main
>> website is in Chinese.
>>
>> What nasty is this designed to catch?
>>
>> Russell.
>>
>> META
>> SID CID TimeStamp Signature Sig ID
>> 6 13129661 2008-04-22 09:00:22 ET TROJAN Suspicious User-Agent -
>> Possible Trojan Downloader (Shell) 2007840
>> Sensor Hostname Sensor Interface
>> monitor-dmzo.isec.auckland.ac.nz dmz sensor
>> IP
>> Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL
>> chksum
>> 130.216.139.25 222.73.227.204 4 5 0 387 25657 2 0 125 51251
>> Resolved Source Resolved Dest
>> l.luo.crl.auckland.ac.nz Could Not Resolve
>> TCP
>> Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum
>> Urgent Ptr
>> 2269 80 1038878389 1434485931 5 0 24 64512 18120 0
>> Options
>> None
>> Flags
>> RB 1 RB 0 URG ACK PSH RST SYN FIN
>> X X
>>
>>
>> DATA
>>
>> GET /gol.htm?MV=8.5.1302.1018&SV=4.2.28.32&L=0804&M=huwei at wi
>> ndowslive.com HTTP/1.1..User-Agent: Shell..Host: shell09.msn
>> shell.com..Connection: Keep-Alive..Cache-Control: no-cache..
>> Cookie: __utma=87997444.1690372949.1205887655.1205887655.120
>> 5888005.2; __utmz=87997444.1205888005.2.2.utmccn=(organic)|u
>> tmcsr=google|utmctr=msnshell|utmcmd=organic....
>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
More information about the Emerging-sigs
mailing list