alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; content:"WORKED"; http_header; pcre:"/User-Agent\x3a[^\n]+WORKED/H"; classtype:trojan-activity; sid:2012909; rev:2;)

Added 2011-10-12 19:35:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; content:"WORKED"; http_header; pcre:"/User-Agent\x3a[^\n]+WORKED/H"; classtype:trojan-activity; sid:2012909; rev:2;)

Added 2011-07-22 23:01:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; content:"WORKED"; http_header; pcre:"/User-Agent|3a|[^\n]+WORKED/H"; classtype:trojan-activity; sid:2012909; rev:1;)

Added 2011-05-31 15:33:09 UTC

This activity has been observed in connection with activity from what appears to be the Begman trojan, with one or more versions having it tagged on to the end of the user-agent string:

herfdsev[.]com/l.php?v=0.10d&id=16934252&wv=6.0.2900.5512

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; InfoPath.2)WORKED

See also 2012908.

-- DarrenSpruell - 01 Jun 2011


Topic revision: r2 - 2011-06-01 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats