alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Spy/TVRat Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/U"; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:10; metadata:created_at 2015_09_04, updated_at 2018_07_11;)

Added 2018-09-13 19:51:41 UTC


Added 2018-09-13 18:00:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Spy/TVRat Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/U"; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:10; metadata:created_at 2015_09_04, updated_at 2018_07_11;)

Added 2018-07-11 17:47:44 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Spy/TVRat/Shade Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:9; metadata:created_at 2015_09_04, updated_at 2016_08_10;)

Added 2017-08-07 21:16:29 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Spy/TVRat/Shade Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:9;)

Added 2016-08-10 17:26:07 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Spy.Pavica.O/TVRat Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:8;)

Added 2016-02-24 16:22:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Spy.Pavica.O/TVRat Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:8;)

Added 2016-02-23 17:39:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Spy.Pavica.O/TVRat Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/getinfo.php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:6;)

Added 2016-01-05 18:51:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Spy.Pavica.O/TVRat Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/getinfo.php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:5;)

Added 2015-11-09 18:52:48 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Sheldor.dt Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/getinfo.php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=7006fbac78c8903f4e731e299ba264d2; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:5;)

Added 2015-09-04 18:52:32 UTC


Topic revision: r1 - 2018-09-13 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats