[Snort-sigs] Possible trojan rule

Matthew Jonkman matt at ...2436...
Thu Jun 3 09:17:03 EDT 2004

Do you have a dump of that post of info?  I cleaned my infected ones but 
would like to write a rule to catch that as well.

The rules to catch the updates are dependant on them using the same file 
name, and thus probably won't last long.

Thanks. Nice catch.


Stark, Vernon L. wrote:

> In addition to retrieving an executable from, this malware
> may be generating pop-up adds and sending at least statisical information to
> virtumonde.com (  Content exchanged with
> includes:
> e_g_AdCategory:  Some
> e_g_PopupPerDay:  2
> e_g_StatisticsUploadDelay:  1
> g_Popup: U?]O
> g_PopupPerDay:  J
> g_StatisticsUploadDelay:  y
> g_StealFocus: a[AfO
> g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:
> g_URL: 8
> Vern

More information about the Snort-sigs mailing list