alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:2; depth:11; http_uri; content:"GET"; http_method; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+?$/Ui"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; depth:76; http_header; fast_pattern:55,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n/HRi"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:13; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

Added 2017-08-07 21:09:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:6; depth:11; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+? HTTP\/1\.[0-1]/Ri"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:12;)

Added 2014-05-16 18:09:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:6; depth:10; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]{1,9}\/?\?.+? HTTP\/1\.[0-1]/Ri"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:11;)

Added 2014-04-08 15:26:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:6; depth:5; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]{1,4}\/?\?.+? HTTP\/1\.[0-1]/Ri"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:10;)

Added 2013-09-30 20:28:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:6; depth:5; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]{1,3}\/?\?.+? HTTP\/1\.[0-1]/R"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:9;)

Added 2013-06-04 22:34:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:6; depth:5; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]{1,3}\/?\?[a-z] HTTP\/1\.[0-1]/R"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:8;)

Added 2013-06-03 18:54:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:6; depth:2; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]\/?\?[a-z] HTTP\/1\.[0-1]/R"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:6;)

Added 2013-05-31 18:51:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"GET "; depth:4; content:"MSIE 7.0|3b|"; content:".ddns"; fast_pattern; distance:0; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/GET \/[a-z0-9]+?\/?\?[a-z]\d? HTTP\/1\.1\r\nUser-Agent\x3a .+?\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\.eu\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:5;)

Added 2012-12-03 21:50:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9004] (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"GET "; depth:4; content:"MSIE 7.0|3b|"; content:".ddns"; fast_pattern; distance:0; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/GET \/[a-z0-9]+?\/?\?[a-z]\d? HTTP\/1\.1\r\nUser-Agent\x3a .+?\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\.eu\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:4;)

Added 2012-11-29 21:01:34 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats