#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:39:14 UTC
Added 2018-09-13 17:53:31 UTC
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-02-07 18:13:51 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 21:00:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4;)
Added 2011-10-12 19:22:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; sid:2007142; rev:4;)
Added 2011-09-14 22:35:57 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:4;)
Added 2011-02-04 17:26:11 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)
Added 2009-02-13 19:47:26 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)
Added 2009-02-13 19:47:26 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)
Added 2009-02-13 19:46:39 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)
Added 2009-02-13 19:46:39 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)
Added 2009-02-13 19:45:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)
Added 2009-02-13 19:45:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; sid:2007142; rev:2;)
Added 2008-01-31 10:12:24 UTC
At our site we've had good luck with this signature. Tech staff report:
The Virtumonde alert is fairly consistent in terms of being detected. As
far as what it is, this page provides one of the better descriptions:
http://www.f-secure.com/sw-desc/virtumonde.shtml
In terms of removal, Symantec does not find it at all as of right now.
SpyBot? (with updates), will find the registry keys that the malware uses
and remove them, but does not remove the actual binary files of the
malware itself (so it just happily rewrites the registry entries
immediately).
As far as removal, the tool provided on the earlier f-secure website has
been effective in correcting the problem.
An important note on removal, is that Symantec also provides a page
detailing this malware, but their removal tool takes forever to run and
does not work.
That's about it for now,
Sergey
Housing Technology
--
RegQuinton - 02 Apr 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; sid:2007142; rev:2;)
Added 2008-01-31 10:12:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; sid:2007142; rev:1;)
Added 2007-08-14 01:38:12 UTC