[Emerging-Sigs] Win32.Trojan.SuspectCRC Checkin Signature

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 24 11:46:53 EDT 2011

This also uses the UA "sample", and we catch that. But this wil be more specific. Posting!

Thanks Micah!


On Oct 4, 2011, at 9:50 AM, Micah Kays wrote:

> alert tcp $HOME_NET any -> any $HTTP_PORTS
> (msg:"Win32.Trojan.SuspectCRC Checkin"; uricontent:"value.php?";
> uricontent:"md="; uricontent:"&pc="; classtype:trojan-activity;
> reference:url,http://www.threatexpert.com/report.aspx?md5=54c9d51661a05151e5143f4e80cbed86;
> sid:1; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list