""ET TROJAN Fraudload/FakeAlert/FakeVimes Downloader - POST""

SID: 2009751

Revision: 7

Class Type: trojan-activity

Metadata: created_at 2010_07_30, updated_at 2010_10_29

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"

  • Value: "verint="

  • Value: "&wv="

  • Value: "&report="

  • Value: "&abbr="

  • Value: "&pid="

Within:

PCRE:

Special Options:

  • nocase

  • http_method

  • nocase

  • http_header

  • nocase

  • http_client_body

  • nocase

  • http_client_body

  • nocase

  • http_client_body

  • nocase

  • http_client_body

  • http_client_body

source