[Emerging-Sigs] is this a hit or a false +ve? 2008548

Matt Jonkman jonkman at jonkmans.com
Thu Jan 22 23:37:35 EST 2009


Hey Russell. No, that's not exactly what this one is looking for,
although it's likely an infected system for other things.

It seems that the original package using that UA is pretty much defunct.
I think I'll drop the sig. If it happens to recur we should see it in
the sandnet.

Matt

Russell Fulton wrote:
> ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus
> User-Agent (3P and version num)    2008548
> 
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
> .NET CLR 2.0.50727; .NET CLR 3.0.04506; 3P_UVRM 1.0.11.1; Seekmo
> 10.0.431.0;
> 
> Yes, I know it has seekmo :)  but what I want to know if the 3P_UVRM
> 1.0.11.1 is what the sig is really looking for?
> 
> Russell
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list