[Emerging-Sigs] Emerging Threats Daily Signature Changes

emerging@emergingthreats.net emerging at emergingthreats.net
Thu Jan 3 17:00:07 EST 2008 

[***] Results from Oinkmaster started Thu Jan  3 17:00:06 2008 [***]

[+++]          Added rules:          [+++]

 2007728 - BLEEDING-EDGE TROJAN TROJ_PROX.AFV POST (bleeding-virus.rules)
 2007729 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (VideoAccessCodecInstall.exe) (bleeding.rules)
 2007730 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecultra1123.exe) (bleeding.rules)
 2007731 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecultra1123.dmg) (bleeding.rules)
 2007732 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecnice1126.exe) (bleeding.rules)
 2007733 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecnice1126.dmg) (bleeding.rules)
 2007734 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (Install_video_3913230.exe) (bleeding.rules)
 2007735 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (virusranger.exe) (bleeding.rules)
 2007736 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (vrsvc.exe) (bleeding.rules)
 2007737 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (stripshow.exe) (bleeding.rules)
 2007738 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (happy2008.exe) (bleeding.rules)
 2007739 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (fck2008.exe) (bleeding.rules)
 2007740 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (happy_2008.exe) (bleeding.rules)
 2007741 - BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (sony.exe) (bleeding.rules)
 2007742 - BLEEDING-EDGE TROJAN Storm C&C with typo'd User-Agent (Windoss) (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2007727 - BLEEDING-EDGE P2P possible torrent download (bleeding-p2p.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (16):
        2007727 || BLEEDING-EDGE P2P possible torrent download
        2007728 || BLEEDING-EDGE TROJAN TROJ_PROX.AFV POST || url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T
        2007729 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (VideoAccessCodecInstall.exe)
        2007730 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecultra1123.exe)
        2007731 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecultra1123.dmg)
        2007732 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecnice1126.exe)
        2007733 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (codecnice1126.dmg)
        2007734 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (Install_video_3913230.exe)
        2007735 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (virusranger.exe)
        2007736 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (vrsvc.exe)
        2007737 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (stripshow.exe)
        2007738 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (happy2008.exe)
        2007739 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (fck2008.exe)
        2007740 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (happy_2008.exe)
        2007741 || BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested (sony.exe)
        2007742 || BLEEDING-EDGE TROJAN Storm C&C with typo'd User-Agent (Windoss)

     -> Added to bleeding-virus.rules (1):
        #storm c&c with a typo'd UA

     -> Added to bleeding.rules (3):
        # these may only be good for a few days, but considering the volume of infections and the high-profile
        #  plaves at blogspot, it's worth pushing these sigs out for a few days
        # by matt jonkman, to be removed/reconsidered on jan 10 08

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2007727 || BLEEDING-EDGE Policy possible torrent download

     -> Removed from bleeding-virus.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN TROJ_PROX.AFV POST"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:".php"; nocase; content:"=|22|sid|22|"; nocase; content:"=|22|up|22|"; nocase; content:"=|22|wbfl|22|"; nocase; content:"=|22|v|22|"; nocase; content:"=|22|ping|22|"; nocase; content:"=|22|guid|22|"; nocase; content:"=|22|wv|22|"; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; classtype:trojan-activity; sid:2007728 rev:1;)

More information about the Emerging-sigs mailing list