[Emerging-Sigs] SIG: ET TROJAN W32/OnlineGames Checkin

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 21 13:54:55 EDT 2011

We've got a pro sig for this, I'll move it over to the open set.

Thanks Kevin!


On Oct 20, 2011, at 7:05 PM, Kevin Ross wrote:

> # MD5 075075feb21ea69e4d5edff78141f8d6
> # clamav sig (searches for some stuff about gameupdate in binary): W32/OnlineGames:1:*:4e657747616d65557064617465*47616d6556657273696f6e55706461746531*557064617465546f6f6c
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OnlineGames Checkin"; flow:established,to_server; content:"/pcgame/"; http_uri; content:"?Hook1="; http_uri; content:"Setup="; http_uri; classtype:trojan-activity; sid:144991; rev:1;)
> Regards, Kevin

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list