[Emerging-Sigs] UPS_Lieferschein.exe (Obitel) -> fixaserver.ru
Philipp Bescht
philipp at bescht.de
Mon Jul 14 08:54:08 EDT 2008
Hi,
recent spam mails, targeting german-speaking people mostly, are offering
a malicious binary which - upon successful infection - makes the
following (first) http request:
GET /ldr/gate.php?hash=68acd724
User-Agent: ie
Host: fixaserver.ru
The User-Agent string is detected by sid 2007827.
In response to the above request, the infected host is redirected to
aetopoulos.de, downloading the files 1.exe and 2.exe.
If necessary, i propose the following signature for a more specific
detection of the initial request:
#ref: 6b4ef50e3e21205685cea919ebf93476
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET CURRENT_EVENTS Obitel trojan calling home";
flow:established,to_server; uricontent:"/gate.php?hash="; nocase;
content:"|0d 0a|User-Agent\: ie|0d 0a|";
reference:url,www.abuse.ch/?p=143; classtype:trojan-activity;
sid:2008402; rev:1;)
For a more significant msg-value, here are the namings by AV vendors:
http://www.virustotal.com/de/analisis/494735a1eabb06fb728aaa3481740eaa
On http://www.abuse.ch/?p=143 this is called 'wsnpoem'.
Regards,
Philipp
More information about the Emerging-sigs
mailing list