[Snort-sigs] Possible trojan rule

Matthew Jonkman matt at ...2436...
Thu Jun 3 09:17:03 EDT 2004


Do you have a dump of that post of info?  I cleaned my infected ones but 
would like to write a rule to catch that as well.

The rules to catch the updates are dependant on them using the same file 
name, and thus probably won't last long.

Thanks. Nice catch.

Matt

Stark, Vernon L. wrote:

> In addition to retrieving an executable from 209.123.150.15, this malware
> may be generating pop-up adds and sending at least statisical information to
> virtumonde.com (209.123.150.14).  Content exchanged with 209.123.150.14
> includes:
> 
> e_g_AdCategory:  Some
> e_g_PopupPerDay:  2
> e_g_StatisticsUploadDelay:  1
> g_Popup: U?]O
> g_PopupPerDay:  J
> g_StatisticsUploadDelay:  y
> g_StealFocus: a[AfO
> g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:
> g_URL: 8
> 
> Vern
> 





More information about the Snort-sigs mailing list