[Snort-sigs] Rule for MSWord GinWin.

Joe Stewart jstewart at ...5...
Fri May 26 06:03:02 EDT 2006

On Friday 26 May 2006 08:47, Ureleet Ureleet wrote:
> I do not have a pcap for it.  This was a preemptive signature based
> off of the virus info.  Please not to write me asking for pcap
> anymore.  If I had one, it would be given to the people at VRT.

Here's a (sandnet-collected, so the IPs are not real) pcap of the DNS 
request and the initial HTTP post to one of the two hosts.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ginwin.cap
Type: application/octet-stream
Size: 311 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060526/a6f8bb41/attachment.obj>

More information about the Snort-sigs mailing list