[Emerging-Sigs] Win32.PEx.Delphi.1151005043 Post-infection Checkin and Win32/FakeSysdef Checkin Signatures

Micah Kays micah.d.kays at gmail.com
Sun Oct 23 21:25:50 EDT 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32.PEx.Delphi.1151005043 Post-infection Checkin";
flow:established,to_server; content:"GET"; http_method;
content:"/boot.php?ptr="; nocase; http_uri;
reference:url,http://www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0;
classtype:trojan-activity;
reference:url,http://threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043;
sid:021; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/FakeSysdef Checkin"; flow:established,to_server; content:"GET";
http_method; content:"/404.php?type="; nocase; http_uri;
content:"&affid="; nocase; http_uri; content:"&subid="; nocase;
http_uri; content:"&awok"; nocase; http_uri;
reference:url,http://www.threatexpert.com/report.aspx?md5=87f6402164d2cc373822ce47f02b7ffe;
reference:url,http://www.virustotal.com/file-scan/report.html?id=6ee20d732f157e5a8c5b1c6ec3d719d47cdef0d4ba15daf24b4e75e847007aa8-1319341576;
classtype:trojan-activity; sid:031; rev:1;)


More information about the Emerging-sigs mailing list