Trojan/Worm(090907)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”P2P-Worm.Win32.Malas.r”; flow:to_server,established; uricontent:”a_id=”; uricontent:”domainname=”; uricontent:”User|2d|Agent|3a 20|KuKu”; nocase; http_header; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Trojan.BAT.Shutdown.ef”; flow:to_server,established; uricontent:”/4.htm”; uricontent:”Host|3a 20|www|2e|cy074|2e|cn”; nocase; http_header; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 6664:6669 (msg:”Worm.Win32.Sddrop.D 1″; flow:to_server,established; content:”|22|yahoo.com|22 20 22|127.0.0.1|22|”; nocase; pcre:”/NICK[^\n]+\nUSER\x20+[^\x20]+\x20+\x22yahoo.com\x22\x20\x22127.0.0.1\x22/”; content:”PONG 3BB33″;)

Advertisements

About this entry