[Emerging-Sigs] FP in 2007591 (Win32 Agent.ALT C&C Checkin)
Jonathan Scheidell
jscheidell at secnap.net
Fri Feb 29 11:18:23 EST 2008
Current content looks for ³|00 01|² but reference refers to content as being
³|00 01 e4 8a 1a|² (for the 10 byte payload).
http://doc.emergingthreats.net/bin/view/Main/Win32AgentALT
FP we got had content of ³|00 01 00 00 02 02 44 01 00 3B|² with a payload
size of 10 bytes total.
Maybe enhance the current SID content match from ³|00 01|², to ³|00 01 e4 8a
1a|², which I think is the payload for the actual virus when it has a 10byte
payload.
This would also affect the following SIDs:
2007588 (change ³|00 02|² to ³|00 02 5e 3b 5a 86 b9 05|²)
2007589 (change ³|00 03|² to ³|00 03 b9 70 cb 70|²)
2007590 (change ³|00 04|² to ³|00 04 0f 9a|²)
Thoughts?
--
Jon Scheidell
>|SECNAP Network Security
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080229/d43958e4/attachment.html
More information about the Emerging-sigs
mailing list