[Snort-sigs] Possible trojan rule
matt at ...2436...
Thu Jun 3 09:17:03 EDT 2004
Do you have a dump of that post of info? I cleaned my infected ones but
would like to write a rule to catch that as well.
The rules to catch the updates are dependant on them using the same file
name, and thus probably won't last long.
Thanks. Nice catch.
Stark, Vernon L. wrote:
> In addition to retrieving an executable from 184.108.40.206, this malware
> may be generating pop-up adds and sending at least statisical information to
> virtumonde.com (220.127.116.11). Content exchanged with 18.104.22.168
> e_g_AdCategory: Some
> e_g_PopupPerDay: 2
> e_g_StatisticsUploadDelay: 1
> g_Popup: U?]O
> g_PopupPerDay: J
> g_StatisticsUploadDelay: y
> g_StealFocus: a[AfO
> g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:
> g_URL: 8
More information about the Snort-sigs