[Emerging-Sigs] Emerging Threats Weekly Signature Changes
emerging@emergingthreats.net
emerging at emergingthreats.net
Sat May 10 19:00:08 EDT 2008
[***] Results from Oinkmaster started Sat May 10 19:00:08 2008 [***]
[+++] Added rules: [+++]
2008182 - ET TROJAN Common Downloader Install Report URL (emerging-virus.rules)
2008183 - ET TROJAN Common Downloader Install Report URL (pid - mac) (emerging-virus.rules)
2008184 - ET MALWARE Suspicious User-Agent (Installer) (emerging-malware.rules)
2008185 - ET TROJAN Win32 Cloaker Related Post Infection Checkin (emerging-virus.rules)
2008186 - ET SCAN DirBuster Web App Scan in Progress (emerging-scan.rules)
2008187 - ET SCAN Paros Proxy Scanner Detected (emerging-scan.rules)
2008188 - ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe) (emerging.rules)
2008189 - ET TROJAN SpamTool.Win32.Agent.gy Or Similar HTTP Checkin (emerging-virus.rules)
2008190 - ET MALWARE WinButler User-Agent (WinButler) (emerging-malware.rules)
2008192 - ET WORM Korgo.P Reporting (emerging-virus.rules)
2008193 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) (emerging.rules)
2008194 - ET TROJAN Common Downloader Install Report URL (wmid - ucid) (emerging-virus.rules)
2008195 - ET TROJAN Dropper mdodo.com Related Trojan (emerging-virus.rules)
2008196 - ET TROJAN Dropper 6dzone.com Related Trojan (emerging-virus.rules)
2008197 - ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin (emerging-malware.rules)
2008198 - ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus) (emerging-malware.rules)
2008199 - ET MALWARE Suspicious User-Agent (QQ) (emerging-malware.rules)
[///] Modified active rules: [///]
2000026 - ET MALWARE Gator Agent Traffic (emerging-malware.rules)
2001295 - ET MALWARE Browseraid.com Agent (emerging-malware.rules)
2001487 - ET MALWARE Tibsystems Spyware Activity (emerging-malware.rules)
2001492 - ET MALWARE ISearchTech.com XXXPornToolbar Activity (MyApp) (emerging-malware.rules)
2001493 - ET MALWARE ISearchTech.com XXXPornToolbar Activity (IST) (emerging-malware.rules)
2001498 - ET MALWARE Internet Optimizer Activity (emerging-malware.rules)
2001582 - ET SCAN Behavioral Unusual Port 1434 traffic, Potential Scan or Infection (emerging-scan.rules)
2001583 - ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection (emerging-scan.rules)
2001639 - ET MALWARE Wild Tangent Agent Activity (emerging-malware.rules)
2001640 - ET MALWARE Altnet PeerPoints Manager Traffic (emerging-malware.rules)
2001652 - ET MALWARE JoltID Agent New Code Download (emerging-malware.rules)
2001703 - ET MALWARE Context Plus Spyware Activity (1) (emerging-malware.rules)
2001706 - ET MALWARE Context Plus Spyware Activity (2) (emerging-malware.rules)
2001707 - ET MALWARE Shop at Home Select Spyware Activity (SAH) (emerging-malware.rules)
2001732 - ET MALWARE Top Converting Agent Activity (emerging-malware.rules)
2001736 - ET MALWARE UCMore Spyware Activity (emerging-malware.rules)
2001746 - ET MALWARE Enhance My Search Spyware Activity (emerging-malware.rules)
2001852 - ET MALWARE 404Search Spyware User Agent (emerging-malware.rules)
2001853 - ET MALWARE Easy Search Bar Spyware User Agent (emerging-malware.rules)
2001854 - ET MALWARE EZULA Spyware User Agent (emerging-malware.rules)
2001855 - ET MALWARE Fun Web Products Spyware User Agent (1) (emerging-malware.rules)
2001858 - ET MALWARE Hotbar Spyware User Agent (emerging-malware.rules)
2001859 - ET MALWARE Cool Web Search Spyware User Agent (emerging-malware.rules)
2001860 - ET MALWARE Kontiki Spyware User Agent (emerging-malware.rules)
2001861 - ET MALWARE Micro-Gaming Spyware User Agent (emerging-malware.rules)
2001863 - ET MALWARE Fun Web Products Spyware User Agent (2) (emerging-malware.rules)
2001864 - ET MALWARE Fun Web Products Spyware User Agent (3) (emerging-malware.rules)
2001865 - ET MALWARE MyWebSearch Spyware User Agent (emerging-malware.rules)
2001867 - ET MALWARE Search Engine 2000 Spyware User Agent (emerging-malware.rules)
2001868 - ET MALWARE SureSeeker Spyware User Agent (emerging-malware.rules)
2001869 - ET MALWARE Sidesearch Spyware User Agent (emerging-malware.rules)
2001870 - ET MALWARE Surfplayer Spyware User Agent (emerging-malware.rules)
2001872 - ET MALWARE Visicom Spyware User Agent (emerging-malware.rules)
2002002 - ET MALWARE Better Internet Spyware User Agent Activity (thnall) (emerging-malware.rules)
2002005 - ET MALWARE Better Internet Spyware User Agent Activity (poller) (emerging-malware.rules)
2002011 - ET MALWARE PeopleonPage Spyware User Agent Activity (emerging-malware.rules)
2002020 - ET MALWARE Overpro Spyware User Agent Activity (merong) (emerging-malware.rules)
2002038 - ET MALWARE Shopathomeselect.com Spyware User Agent Activity (emerging-malware.rules)
2002047 - ET MALWARE surfaccuracy Spyware User Agent (emerging-malware.rules)
2002071 - ET MALWARE XupiterToolbar Spyware User Agent Activity (emerging-malware.rules)
2002074 - ET MALWARE Win32.Stubby Spyware User Agent Activity (emerging-malware.rules)
2002076 - ET MALWARE New.net Spyware User Agent Activity (emerging-malware.rules)
2002078 - ET MALWARE SideStep Spyware User Agent Activity (emerging-malware.rules)
2002079 - ET MALWARE MyWaySearch Products Spyware User Agent (emerging-malware.rules)
2002080 - ET MALWARE MySearch Products Spyware User Agent (emerging-malware.rules)
2002097 - ET MALWARE IEHelp.net Spyware User Agent Activity (emerging-malware.rules)
2002153 - ET MALWARE EXE as User Agent - Potential Malware (emerging-malware.rules)
2002400 - ET MALWARE Suspicious User Agent (Microsoft Internet Explorer) (emerging-malware.rules)
2002402 - ET MALWARE Suspicious Spyware Related User Agent (UtilMind HTTPGet) (emerging-malware.rules)
2002739 - ET MALWARE iDownloadAgent Spyware User Agent (emerging-malware.rules)
2002807 - ET MALWARE Spyaxe Spyware User Agent (emerging-malware.rules)
2002808 - ET MALWARE Spyaxe Spyware User Agent 2 (emerging-malware.rules)
2002874 - ET MALWARE Metafisher/Goldun z User Agent (emerging-malware.rules)
2002876 - ET MALWARE Small-EM/Divo/PassSickle User Agent (emerging-malware.rules)
2002877 - ET MALWARE BankSnif/Nethelper User Agent (emerging-malware.rules)
2002970 - ET MALWARE VB WinHTTP User Agent - Possible Malware (emerging-malware.rules)
2003062 - ET MALWARE 180 Solutions (Zango Installer) User Agent (emerging-malware.rules)
2003200 - ET MALWARE Suspicious User Agent (MSIE XPSP2) (emerging-malware.rules)
2003205 - ET MALWARE Suspicious User Agent (Informer from RBC) (emerging-malware.rules)
2003223 - ET MALWARE Zango-Hotbar User Agent (emerging-malware.rules)
2003243 - ET MALWARE Suspicious User Agent (Download Agent) Possibly Related to TrinityAcquisitions.com (emerging-malware.rules)
2003305 - ET MALWARE Zango-Hotbar User Agent (zbu-hb-) (emerging-malware.rules)
2003335 - ET MALWARE 2search.org User Agent (2search) (emerging-malware.rules)
2003336 - ET MALWARE AntiVermins.com Fake Antispyware Package User Agent (emerging-malware.rules)
2003342 - ET MALWARE www.baidu.com Spyware User Agent (bar-get) (emerging-malware.rules)
2003343 - ET MALWARE CNSMin Spyware User Agent (CnsMin Agent) (emerging-malware.rules)
2003345 - ET MALWARE Download UBAgent User Agent - lop.com and other spyware (emerging-malware.rules)
2003346 - ET MALWARE Errorsafe.com Fake antispyware User Agent (ErrorSafe Updater) (emerging-malware.rules)
2003347 - ET MALWARE Gamehouse.com User Agent (GAMEHOUSE.NET.URL) (emerging-malware.rules)
2003355 - ET MALWARE Yourscreen.com Spyware User Agent (FreezeInet) (emerging-malware.rules)
2003363 - ET MALWARE Spamblockerutility.com-Hotbar User Agent (sbu-hb-) (emerging-malware.rules)
2003365 - ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar ) (emerging-malware.rules)
2003367 - ET MALWARE www.baidu.com Spyware User Agent (sobar-post) (emerging-malware.rules)
2003368 - ET MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7) (emerging-malware.rules)
2003383 - ET MALWARE Hotbar Tools Spyware User Agent (hbtools) (emerging-malware.rules)
2003384 - ET MALWARE SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x) (emerging-malware.rules)
2003385 - ET MALWARE sgrunt Dialer User Agent (sgrunt) (emerging-malware.rules)
2003387 - ET MALWARE dialno Dialer User Agent (dialno) (emerging-malware.rules)
2003396 - ET MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent (emerging-malware.rules)
2003397 - ET MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar) (emerging-malware.rules)
2003398 - ET MALWARE Morpheus Spyware Install User-Agent (SmartInstaller) (emerging-malware.rules)
2003406 - ET MALWARE Mysearch.com Spyware User-Agent (iMeshBar) (emerging-malware.rules)
2003428 - ET MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer) (emerging-malware.rules)
2003439 - ET MALWARE Dropspam.com Spyware Install User-Agent (DSInstall) (emerging-malware.rules)
2003441 - ET MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90) (emerging-malware.rules)
2003449 - ET MALWARE Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4) (emerging-malware.rules)
2003468 - ET MALWARE Oemji Spyware User-Agent (Oemji) (emerging-malware.rules)
2003491 - ET MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) (emerging-malware.rules)
2003493 - ET MALWARE AskSearch Spyware User-Agent (AskSearchAssistant) (emerging-malware.rules)
2003494 - ET MALWARE AskSearch Toolbar Spyware User-Agent (AskTBar) (emerging-malware.rules)
2003495 - ET MALWARE HSN.com Toolbar Spyware User-Agent (HSN) (emerging-malware.rules)
2003496 - ET MALWARE AskSearch Toolbar Spyware User-Agent (AskBar) (emerging-malware.rules)
2005323 - ET MALWARE Suspicious User Agent - Likely Spyware (Starts with a bracket, contains a pipe or underscore) (emerging-malware.rules)
2006381 - ET MALWARE Ask.com Toolbar/Spyware User Agent (emerging-malware.rules)
2008015 - ET MALWARE Suspicious User Agent (Win95) (emerging-malware.rules)
2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe) (emerging.rules)
[---] Removed rules: [---]
2001504 - ET MALWARE Medialoads.com Spyware Activity (emerging-malware.rules)
2002014 - ET MALWARE Grandstreet Interactive Spyware User Agent Activity (2) (emerging-malware.rules)
2002039 - ET MALWARE Better Internet Spyware User Agent Activity (aurareco) (emerging-malware.rules)
2002073 - ET MALWARE General Spyware User Agent Activity (emerging-malware.rules)
2003357 - ET MALWARE Zenotecnico.com Spyware User Agent (WinXP Pro Service Pack 2) (emerging-malware.rules)
2003359 - ET MALWARE Seznam.cz Spyware User Agent (Seznam.cz XML-RPC) (emerging-malware.rules)
2003386 - ET MALWARE snprtz Dialer User Agent (snprtz) (emerging-malware.rules)
2003452 - ET MALWARE LoopAd/Secure-browser.com Spyware User-Agent (rw.exe) (emerging-malware.rules)
2006412 - ET MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila 4.0...) (emerging-malware.rules)
2008078 - ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (funny.exe) (emerging.rules)
2008079 - ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (kickme.exe) (emerging.rules)
2008101 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (withlove.exe) (emerging.rules)
2008102 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (love.exe) (emerging.rules)
[+++] Added non-rule lines: [+++]
-> Added to emerging-malware.rules (1):
#matt jonkman, www.winxdefender.com fake AV package
-> Added to emerging-scan.rules (3):
#by Adam Pointon at Sentinel Data Security
#not a malicious too,l, a testing tool
#sig by Adam Pointon of Sentinelsecurity.com.au
-> Added to emerging-sid-msg.map (18):
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe) || url,www.sudosecure.net/archives/61
2008182 || ET TROJAN Common Downloader Install Report URL
2008183 || ET TROJAN Common Downloader Install Report URL (pid - mac)
2008184 || ET MALWARE Suspicious User-Agent (Installer)
2008185 || ET TROJAN Win32 Cloaker Related Post Infection Checkin
2008186 || ET SCAN DirBuster Web App Scan in Progress || url,owasp.org
2008187 || ET SCAN Paros Proxy Scanner Detected || url,www.parosproxy.org
2008188 || ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)
2008189 || ET TROJAN SpamTool.Win32.Agent.gy Or Similar HTTP Checkin
2008190 || ET MALWARE WinButler User-Agent (WinButler) || url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html || url,www.winbutler.com
2008192 || ET WORM Korgo.P Reporting || url,www.f-secure.com/v-descs/korgo_p.shtml
2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.sudosecure.net/archives/67
2008194 || ET TROJAN Common Downloader Install Report URL (wmid - ucid)
2008195 || ET TROJAN Dropper mdodo.com Related Trojan
2008196 || ET TROJAN Dropper 6dzone.com Related Trojan
2008197 || ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin
2008198 || ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus) || url,www.pcclear.co.kr || url,www.pcclear.com
2008199 || ET MALWARE Suspicious User-Agent (QQ)
-> Added to emerging-sid-msg.map.txt (18):
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe) || url,www.sudosecure.net/archives/61
2008182 || ET TROJAN Common Downloader Install Report URL
2008183 || ET TROJAN Common Downloader Install Report URL (pid - mac)
2008184 || ET MALWARE Suspicious User-Agent (Installer)
2008185 || ET TROJAN Win32 Cloaker Related Post Infection Checkin
2008186 || ET SCAN DirBuster Web App Scan in Progress || url,owasp.org
2008187 || ET SCAN Paros Proxy Scanner Detected || url,www.parosproxy.org
2008188 || ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)
2008189 || ET TROJAN SpamTool.Win32.Agent.gy Or Similar HTTP Checkin
2008190 || ET MALWARE WinButler User-Agent (WinButler) || url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html || url,www.winbutler.com
2008192 || ET WORM Korgo.P Reporting || url,www.f-secure.com/v-descs/korgo_p.shtml
2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.sudosecure.net/archives/67
2008194 || ET TROJAN Common Downloader Install Report URL (wmid - ucid)
2008195 || ET TROJAN Dropper mdodo.com Related Trojan
2008196 || ET TROJAN Dropper 6dzone.com Related Trojan
2008197 || ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin
2008198 || ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus) || url,www.pcclear.co.kr || url,www.pcclear.com
2008199 || ET MALWARE Suspicious User-Agent (QQ)
-> Added to emerging-virus.rules (4):
#matt jonkman Dropper Win32.Small.bfq
#matt Jonkman
#by matt jonkman, re 31fc628bf3c76e9b446d2eac18046b87, www.kjfbk07814.com/log/proc.php?key=RC4S25FOsd2
#Matt Jonkman, variant using ? rather than &'s
-> Added to emerging.rules (2):
#more by Jeremy at sudosecure
#by jeremy at sudosecure
[---] Removed non-rule lines: [---]
-> Removed from emerging-attack_response.rules (1):
# $Id: bleeding-attack_response.rules $
-> Removed from emerging-dos.rules (1):
# $Id: bleeding-dos.rules $
-> Removed from emerging-exploit.rules (1):
# $Id: bleeding-exploit.rules $
-> Removed from emerging-game.rules (1):
# $Id: bleeding-game.rules $
-> Removed from emerging-inappropriate.rules (1):
# $Id: bleeding-inappropriate.rules $
-> Removed from emerging-malware.rules (2):
# $Id: bleeding-malware.rules $
#from sandnet analysis, misspelles Mozila in a new way
-> Removed from emerging-p2p.rules (1):
# $Id: bleeding-p2p.rules $
-> Removed from emerging-policy.rules (1):
# $Id: bleeding-policy.rules $
-> Removed from emerging-scan.rules (1):
# $Id: bleeding-scan.rules $
-> Removed from emerging-sid-msg.map (14):
2001504 || ET MALWARE Medialoads.com Spyware Activity
2002014 || ET MALWARE Grandstreet Interactive Spyware User Agent Activity (2)
2002039 || ET MALWARE Better Internet Spyware User Agent Activity (aurareco)
2002073 || ET MALWARE General Spyware User Agent Activity
2003357 || ET MALWARE Zenotecnico.com Spyware User Agent (WinXP Pro Service Pack 2)
2003359 || ET MALWARE Seznam.cz Spyware User Agent (Seznam.cz XML-RPC)
2003386 || ET MALWARE snprtz Dialer User Agent (snprtz) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
2003452 || ET MALWARE LoopAd/Secure-browser.com Spyware User-Agent (rw.exe)
2006412 || ET MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila 4.0...)
2008077 || ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (foolsday.exe)
2008078 || ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (funny.exe)
2008079 || ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (kickme.exe)
2008101 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (withlove.exe)
2008102 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (love.exe)
-> Removed from emerging-sid-msg.map.txt (14):
2001504 || ET MALWARE Medialoads.com Spyware Activity
2002014 || ET MALWARE Grandstreet Interactive Spyware User Agent Activity (2)
2002039 || ET MALWARE Better Internet Spyware User Agent Activity (aurareco)
2002073 || ET MALWARE General Spyware User Agent Activity
2003357 || ET MALWARE Zenotecnico.com Spyware User Agent (WinXP Pro Service Pack 2)
2003359 || ET MALWARE Seznam.cz Spyware User Agent (Seznam.cz XML-RPC)
2003386 || ET MALWARE snprtz Dialer User Agent (snprtz) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
2003452 || ET MALWARE LoopAd/Secure-browser.com Spyware User-Agent (rw.exe)
2006412 || ET MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila 4.0...)
2008077 || ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (foolsday.exe)
2008078 || ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (funny.exe)
2008079 || ET CURRENT_EVENTS Possible Storm Worm April Fools Day EXE Request (kickme.exe)
2008101 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (withlove.exe)
2008102 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (love.exe)
-> Removed from emerging-virus.rules (1):
# $Id: bleeding-virus.rules $
-> Removed from emerging-voip.rules (1):
# $Id: bleeding-voip.rules $
-> Removed from emerging-web.rules (1):
# $Id: bleeding-web.rules $
-> Removed from emerging-web_sql_injection.rules (1):
# $Id: bleeding-web_sql_injection.rules $
-> Removed from emerging.rules (2):
# $Id: bleeding.rules $
#temporary for the current storm wave
More information about the Emerging-sigs
mailing list