[Snort-sigs] Possible trojan rule

Stark, Vernon L. Vern.Stark at ...2533...
Thu Jun 3 07:23:49 EDT 2004


In addition to retrieving an executable from 209.123.150.15, this malware
may be generating pop-up adds and sending at least statisical information to
virtumonde.com (209.123.150.14).  Content exchanged with 209.123.150.14
includes:

e_g_AdCategory:  Some
e_g_PopupPerDay:  2
e_g_StatisticsUploadDelay:  1
g_Popup: U?]O
g_PopupPerDay:  J
g_StatisticsUploadDelay:  y
g_StealFocus: a[AfO
g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:
g_URL: 8

Vern

-----Original Message-----
From: Micheal Cottingham [mailto:micheal.cottingham at ...2462...]
Sent: Thursday, June 03, 2004 9:20 AM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Possible trojan rule


The only other thing I can add is that it looks like it is creating 
.text and .rdata files as well.

_____________________________________
Micheal Cottingham, Comptia A+
micheal.cottingham at ...2462...
1-434-949-1078



Hugo van der Kooij wrote:

>On Wed, 2 Jun 2004, Matthew Jonkman wrote:
>
>  
>
>>We're finding a number of client machines infected with something. Not
>>sure what it is. The symptom is it downloads
>>
>>http://209.123.150.15/siae3123.exe
>>    
>>
>
>3 different virus scanners could not find any harm in them. Functions
>called inside:
>
>	ExitProcess
>	Sleep
>
>Filename referenced:
>
>	c:\Projects\Empty\Empty\Release\Empty.pdb
>
>Various internet pages seem to indicate this as spyware.
>
>Hugo.
>
>  
>


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.


More information about the Snort-sigs mailing list