[Snort-sigs] Possible trojan rule

Hugo van der Kooij hvdkooij at ...481...
Wed Jun 2 22:14:09 EDT 2004


On Wed, 2 Jun 2004, Matthew Jonkman wrote:

> We're finding a number of client machines infected with something. Not
> sure what it is. The symptom is it downloads
>
> http://209.123.150.15/siae3123.exe

3 different virus scanners could not find any harm in them. Functions
called inside:

	ExitProcess
	Sleep

Filename referenced:

	c:\Projects\Empty\Empty\Release\Empty.pdb

Various internet pages seem to indicate this as spyware.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.




More information about the Snort-sigs mailing list