[Emerging-Sigs] Win32.PEx.Delphi.996796543 Checkin Signature

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 31 13:54:53 EST 2011

We have a Pro rule for this one, Dooptroop Dropper. It also grabs the user-agent which is "Explorer". 

I'll move the pro rule over to open, this is a good rule but we might FP on ad requests. WIth the UA it's reliable.



On Oct 27, 2011, at 12:47 PM, Micah Kays wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32.PEx.Delphi.996796543Checkin"; flow:established,to_server;
> content:"GET"; http_method; content:"/nconfirm.php?rev="; nocase;
> http_uri; content:"&code="; nocase; http_uri; content:"&param=";
> nocase; http_uri; content:"&num="; nocase; http_uri;
> reference:url,http://www.threatexpert.com/report.aspx?md5=74fb948a209f60124a56f174b6c6813a;
> reference:url,http://threatcenter.crdf.fr/?More&ID=50165&D=CRDF.Malware.Win32.PEx.Delphi.996796543;
> classtype:trojan-activity; sid:051; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list