alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN FAKEAV CryptMEN? pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"|22|pack.exe|22|"; classtype:trojan-activity; sid:2012208; rev:5;)

Added 2014-09-12 16:28:29 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FAKEAV CryptMEN? pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; http_header; content:"pack.exe"; http_header; classtype:trojan-activity; sid:2012208; rev:2;)

Added 2011-10-12 19:33:43 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FAKEAV CryptMEN? pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; http_header; content:"pack.exe"; http_header; classtype:trojan-activity; sid:2012208; rev:2;)

Added 2011-02-04 17:32:07 UTC

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- RussellFulton - 19 Jul 2011

FPs on downloads of openCV from sourceforge:

Content-Disposition: attachment; filename="OpenCV-2.3.0-win-superpack.exe"

-- RussellFulton - 19 Jul 2011


Topic revision: r2 - 2011-07-19 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats