""ET TROJAN WORM_VOBFUS Checkin 1""
SID: 2015968
Revision: 5
Class Type: trojan-activity
Metadata: created_at 2012_11_30, updated_at 2012_11_30
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: [443,80,8080,9000:9009]
Flow: established,to_server
Contents:
-
Value: "GET " Depth: 4
-
Value: "/1/?"
-
Value: " HTTP"
-
Value: "MSIE 7.0|3b|"
-
Value: ".ddns"
-
Value: ".eu|0d 0a|"
Within: 5
PCRE: "/\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\x2eeu\r\n\r\n$/"
Special Options:
- fast_pattern