EmergingThreats> Main Web>2007142 (2008-04-02, MattJonkman) EditAttach

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-09-13 19:39:14 UTC

Added 2018-09-13 17:53:31 UTC

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-02-07 18:13:51 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4;)

Added 2011-10-12 19:22:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; sid:2007142; rev:4;)

Added 2011-09-14 22:35:57 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:4;)

Added 2011-02-04 17:26:11 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)

Added 2009-02-13 19:47:26 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)

Added 2009-02-13 19:47:26 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)

Added 2009-02-13 19:46:39 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)

Added 2009-02-13 19:46:39 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)

Added 2009-02-13 19:45:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virtumonde; sid:2007142; rev:3;)

Added 2009-02-13 19:45:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; sid:2007142; rev:2;)

Added 2008-01-31 10:12:24 UTC

At our site we've had good luck with this signature. Tech staff report:

The Virtumonde alert is fairly consistent in terms of being detected. As far as what it is, this page provides one of the better descriptions:

http://www.f-secure.com/sw-desc/virtumonde.shtml

In terms of removal, Symantec does not find it at all as of right now. SpyBot? (with updates), will find the registry keys that the malware uses and remove them, but does not remove the actual binary files of the malware itself (so it just happily rewrites the registry entries immediately).

As far as removal, the tool provided on the earlier f-secure website has been effective in correcting the problem.

An important note on removal, is that Symantec also provides a page detailing this malware, but their removal tool takes forever to run and does not work.

That's about it for now,

Sergey Housing Technology

-- RegQuinton - 02 Apr 2008

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; sid:2007142; rev:2;)

Added 2008-01-31 10:12:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; sid:2007142; rev:1;)

Added 2007-08-14 01:38:12 UTC

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2008-04-02 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats