[Emerging-Sigs] ET TROJAN Win32.PEx.C.91139756616 Checkin Signature

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 21 13:46:24 EDT 2011


Posted, thanks Micah!

Matt


On Oct 21, 2011, at 10:34 AM, Micah Kays wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32.PEx.C.91139756616 Checkin"; flow:established,to_server;
> content:"GET"; http_method; content:"/?vn="; http_uri; nocase;
> content:"&partner="; http_uri; nocase; content:"&ptag="; http_uri;
> nocase; content:"&cid="; http_uri; nocase;
> content:"&initial_install="; http_uri; nocase; content:"&b=";
> http_uri; nocase; content:"&se="; http_uri; nocase; content:"&au=";
> http_uri; nocase; content:"&am="; http_uri; nocase; content:"&pver=";
> http_uri; nocase; content:"&retries="; http_uri; nocase;
> reference:url,http://www.threatexpert.com/report.aspx?md5=2c969afbe71f35571d11e30f1e854b29;
> reference:url,threatcenter.crdf.fr/?More&ID=49889&D=CRDF.Win32.Win32.PEx.C.91139756616;
> classtype:trojan-activity; sid:001; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list