Trojan/Backdoor/Spyware 7.23

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Backdoor.Win32.Dreamy.bc”; flow:to_server,established; uricontent:”/nnk1/knock.php”; uricontent:”win=”; uricontent:”id=”; uricontent:”lip=”; uricontent:”s5=”; content:”Host|3a 20|nospam|2d|ns|2e|com”; nocase; http_header; pcre:”/^Host\x3a[^\r\n]*nospam\x2dns\x2ecom/smi”;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”W32.Sality.AM 1″; flow:to_server,established; uricontent:”/logo.gif”;  content:”Host|3a 20|hotelkalingaindore|2e|com”; nocase; http_header; pcre:”/^Host\x3a[^\r\n]*hotelkalingaindore\x2ecom/smi”; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”W32.Sality.AM 2″; flow:to_server,established; uricontent:”/mainf.gif”; content:”Host|3a|”; nocase; content:”lasercareindia|2e|com”; nocase; distance:0; pcre:”/^Host\x3a[^\r\n]*lasercareindia\x2ecom/smi”; classtype:Virus; reference:tsl,FSC20090715-01; sid:2090715011; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”W32.Sality.AM 2″; flow:to_server,established; uricontent:”/mainf.gif”; content:”Host|3a 20|lasercareindia|2e|com”; nocase; http_header; pcre:”/^Host\x3a[^\r\n]*lasercareindia\x2ecom/smi”; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Trojan-Spy.Win32.PerfectKeylogger”; flow:to_server,established; uricontent:”/1stupload.php”; content:”Host|3a 20|www|2e|wardomania|2e|com”; nocase; http_header; pcre:”/^Host\x3a[^\r\n]*www\x2ewardomania\x2ecom/smi”; )

Advertisements

About this entry