[Snort-users] winhe800 trjoan

Crusty Saint saintcrusty at ...11827...
Fri Aug 19 06:40:20 EDT 2011


Hi,

I've just come across a machine which has been repeatedly infected with a
more or less recent Trojan recognisable by the winhe800.exe filename.

Little information exists and is not 100% consistent. Evidence was deleted
by over zealous admin so i cannot simply try and build a custom rule for
this.

Anyone out there having a resource or rule available for usage ? I've found
reference to dropper but no usefull sig in the ruleset(s). Also no usefull
result in threatexpert, virustotal or others.

No specific rule for winhe800.exe etc.

Resources

( only works from webcache )
http://webcache.googleusercontent.com/search?q=cache:HvFwmWx3I2EJ:xml.ssdsandbox.net/view/bf7b927f7e737a49cb46c25a447fa254+winhe800+url&cd=3&hl=nl&ct=clnk&gl=nl&source=www.google.nl

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=556848#none
http://vil.nai.com/vil/content/v_472810.htm

http://download.globalhauri.com/customer/security/virus_view.html?intSeq=2251&page=14&keyfield=&key=&SelectPart=
http://www.hauri.co.kr/customer/security/virus_view.html?intSeq=2251&page=12&keyfield=&key=&SelectPart=1


Best Regards,

S.C.

-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110819/3dc87167/attachment.html>


More information about the Snort-users mailing list