[Emerging-updates] Live Commit Output

emerging@emergingthreats.net emerging at emergingthreats.net
Sat Mar 22 16:09:57 EST 2008


[***] Results from Oinkmaster started Sat Mar 22 17:09:57 2008 [***]

[+++]          Added rules:          [+++]

 2002976 - ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner (bleeding-virus.rules)
 2002978 - ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002980 - ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002981 - ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner (bleeding-virus.rules)
 2003931 - ET TROJAN Banker.Delf User-Agent (Varlok_11000) (bleeding-virus.rules)
 2003933 - ET TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
 2004442 - ET TROJAN Banker.Delf User-Agent (hhh) (bleeding-virus.rules)
 2007594 - ET TROJAN Banker.Delf User-Agent (MzApp) (bleeding-virus.rules)
 2007699 - ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS) (bleeding-virus.rules)
 2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
 2007858 - ET TROJAN Delf Keylog FTP Upload (bleeding-virus.rules)
 2007867 - ET TROJAN Delf HTTP Post Checkin (1) (bleeding-virus.rules)
 2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
 2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (bleeding-virus.rules)
 2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
 2007995 - ET TROJAN Delf Checkin via HTTP (5) (bleeding-virus.rules)
 2008006 - ET TROJAN Delf CnC Channel Packet 1 (bleeding-virus.rules)
 2008007 - ET TROJAN Delf CnC Channel Packet 1 reply (bleeding-virus.rules)
 2008008 - ET TROJAN Delf CnC Channel Checkin Replies (bleeding-virus.rules)
 2008009 - ET TROJAN Delf CnC Channel Keepalive Pong (bleeding-virus.rules)
 2008010 - ET TROJAN Delf CnC Channel Keepalive Ping (bleeding-virus.rules)


[---]         Removed rules:         [---]

 2007995 - ET MALWARE Vaccine-program.co.kr Related Spyware Checkin (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (20):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)
        2008006 || ET TROJAN Delf CnC Channel Packet 1
        2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
        2008008 || ET TROJAN Delf CnC Channel Checkin Replies
        2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
        2008010 || ET TROJAN Delf CnC Channel Keepalive Ping

     -> Added to bleeding-sid-msg.map.txt (20):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)
        2008006 || ET TROJAN Delf CnC Channel Packet 1
        2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
        2008008 || ET TROJAN Delf CnC Channel Checkin Replies
        2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
        2008010 || ET TROJAN Delf CnC Channel Keepalive Ping

     -> Added to bleeding-virus.rules (7):
        # This thing send out an email to it's owner with stats and such. This ought to catch it..
        #another variant
        #Yet another
        #yet another c&c method, by matt jonkman
        #delf keylog upload, kinda flimsy but works
        #by Victor Julien
        #re sample 41c62970ea34413c4011b220724bf029



More information about the Emerging-updates mailing list