|
Written by Matt Jonkman
|
|
Monday, 05 May 2008 |
|
I dropped the April Fools Day Storm sigs from Current Events, replaced with the latest, /load.exe. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;) Thanks to Jeremy at Sudosecure.net for the update!
|
|
Last Updated ( Wednesday, 07 May 2008 )
|
