[Snort-sigs] Possible trojan rule

Stark, Vernon L. Vern.Stark at ...2533...
Thu Jun 3 07:23:49 EDT 2004

In addition to retrieving an executable from, this malware
may be generating pop-up adds and sending at least statisical information to
virtumonde.com (  Content exchanged with

e_g_AdCategory:  Some
e_g_PopupPerDay:  2
e_g_StatisticsUploadDelay:  1
g_Popup: U?]O
g_PopupPerDay:  J
g_StatisticsUploadDelay:  y
g_StealFocus: a[AfO
g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:
g_URL: 8


-----Original Message-----
From: Micheal Cottingham [mailto:micheal.cottingham at ...2462...]
Sent: Thursday, June 03, 2004 9:20 AM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Possible trojan rule

The only other thing I can add is that it looks like it is creating 
.text and .rdata files as well.

Micheal Cottingham, Comptia A+
micheal.cottingham at ...2462...

Hugo van der Kooij wrote:

>On Wed, 2 Jun 2004, Matthew Jonkman wrote:
>>We're finding a number of client machines infected with something. Not
>>sure what it is. The symptom is it downloads
>3 different virus scanners could not find any harm in them. Functions
>called inside:
>	ExitProcess
>	Sleep
>Filename referenced:
>	c:\Projects\Empty\Empty\Release\Empty.pdb
>Various internet pages seem to indicate this as spyware.

This SF.Net email is sponsored by the new InstallShield X.

More information about the Snort-sigs mailing list