[Snort-sigs] Possible trojan rule
jstewart at ...5...
Thu Jun 3 07:17:11 EDT 2004
On Thursday 03 June 2004 9:20 am, Micheal Cottingham wrote:
> The only other thing I can add is that it looks like it is creating
> .text and .rdata files as well.
Those are just PE section names. The only thing this binary does is
sleep for 10 seconds then exit. That's not to say the same URL hasn't
hosted some malware in the past, or possibly in the future. It could
just be the malware author is trying to play hide-and-seek with the
real file to try and keep it out of the AV companies definition files
longer. It's probably worth monitoring to see if the file at that URL
changes at some point.
Joe Stewart, GCIH
Senior Security Researcher
More information about the Snort-sigs