Sig for this. And for those interested a clamav sig too which looks for the string  http://%s:%d/%s.php?id=%06d%s&amp;ext=%s in executable<br><br>Regards, Kevin<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET TROJAN W32/Einstein CnC Communication&quot;; flow:established,to_server; content:&quot;POST&quot;; http_method; content:&quot;.php?id=&quot;; http_uri; content:&quot;&amp;ext=&quot;; http_uri; pcre:&quot;/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U&quot;; classtype:trojan-activity; reference:url,<a href="http://www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/">http://www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/</a>; sid:1987911; rev:1;)<br>
<br>CLAMAV SIG: (save in .ndb file and make sure no newline after unless another sig underneath, you can use -d option to point to it in clamav or just stick file in /var/lib/clamav)<br>W32.Einstein:1:*:687474703a2f2f25733a25642f25732e7068703f69643d253036642573266578743d2573<br>