[Snort-sigs] Possible trojan rule

Joe Stewart jstewart at ...5...
Thu Jun 3 07:17:11 EDT 2004

On Thursday 03 June 2004 9:20 am, Micheal Cottingham wrote:
> The only other thing I can add is that it looks like it is creating
> .text and .rdata files as well.

Those are just PE section names. The only thing this binary does is 
sleep for 10 seconds then exit. That's not to say the same URL hasn't 
hosted some malware in the past, or possibly in the future. It could 
just be the malware author is trying to play hide-and-seek with the 
real file to try and keep it out of the AV companies definition files 
longer. It's probably worth monitoring to see if the file at that URL 
changes at some point.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list