Bleeding: sigs/VIRUS

File	Rev.	Age	Author	Last log entry
Attic/   [show contents]
BOT_IP_Discovery	1.2	2 years	fknobbe	SID 2003051: Added GET for HTTP Request check.
TROJAN_Backdoor.Hupigon	1.2	2 years	jonkman	Typo
TROJAN_Backdoor.Win32.SkSocket	1.2	12 months	jonkman	2007585 2007586: temporary
TROJAN_Bandook	1.8	15 months	jonkman	2003937: New sig by Joe Stewart
TROJAN_Banker.Delf	1.19	9 months	jonkman	2007699: new trojan in the sandnet
TROJAN_Banload.Downloader	1.4	15 months	jonkman	2004440: New banload UA
TROJAN_Basine	1.1	9 months	jonkman	: love them trojans
TROJAN_Blackenergy	1.2	9 months	jonkman	2007668: Fixed a missing newline
TROJAN_Bofra	1.8	2 years	fknobbe	SIDs 2001430: Removed space behind reference to avoid duplicate reference_system...
TROJAN_Brontok	1.1	12 months	jonkman	: New one
TROJAN_Dialers	1.4	14 months	jonkman	2006364: typo fix
TROJAN_Diazom	1.1	16 months	jonkman	: New badness
TROJAN_Downloader-1355	1.2	19 months	jonkman	2003408: pure not rule crud
TROJAN_Downloader-388	1.4	20 months	jonkman	Didn't escape the semicolon
TROJAN_Downloader-5265	1.2	16 months	jonkman	2003590: added other references
TROJAN_Downloader.Dluca	1.1	12 months	jonkman	: new badness
TROJAN_Downloader_General	1.24	10 months	jonkman	2007633: new from the sandnet
TROJAN_Dropper.Agent.cah	1.2	10 months	jonkman	2007644: typo fix
TROJAN_Dumador	1.2	2 years	jonkman	Updated by Tom Fischer. Reduced the first uricontent
TROJAN_Duntek	1.1	17 months	mwarren	Added sid:2003537 TROJAN_Duntek
TROJAN_EliteKeyLogger	1.3	2 years	jonkman	Various changes,mostly name standardization
TROJAN_ExplorerHijack	1.1	9 months	jonkman	: new fun
TROJAN_Farfli	1.2	10 months	jonkman	2007646 2007658: A new farfly UA
TROJAN_Feral	1.2	12 months	jonkman	2007283 2007286: sid update
TROJAN_General	1.3	2 years	fknobbe	SID 2002982: Changed INFECTAD0 back to INFECTADO. Looks like someone got their s...
TROJAN_Generic.Malware	1.3	16 months	jonkman	2003640 2003644 2003645: New useragents from castlecops
TROJAN_Goldun	1.4	23 months	fknobbe	SID 2003107, 2003108: Added Goldun dropsite URLs (sd.php is used with POST)
TROJAN_Gozi	1.2	10 months	jonkman	2003286 2003287 2007632: new from cees elzinga
TROJAN_HTTP_Botnets	1.10	2 years	jonkman	Various changes,mostly name standardization
TROJAN_HackerDefender	1.10	20 months	jonkman	flow fix
TROJAN_HaxDoor	1.8	2 years	fknobbe	SID 2002929: Added new Haxdoor sig from Tom Fischer.
TROJAN_Hotword	1.10	2 years	fknobbe	SIDs 2001615 2001723 2001841 2001961 2001962 2001963 2001964 2001965 2001966 200...
TROJAN_Hupington	1.8	9 months	jonkman	2007689: love the trojans
TROJAN_ICMP_Tunnel	1.4	2 years	fknobbe	SID 2003073: Reorderd options.
TROJAN_IRC_Bots	1.92	9 months	jonkman	2007672: new from Reg
TROJAN_IRC_Kaiten	1.1	11 months	jonkman	: more new from Reg
TROJAN_IRC_Pitbull	1.1	11 months	jonkman	: new from Reg Quinton
TROJAN_Ilookup	1.6	2 years	fknobbe	SIDs 2001066: Removed space behind reference to avoid duplicate reference_system...
TROJAN_Inject	1.1	16 months	jonkman	2003636 2003639 2003640 2003641 2003642: New UAs from castlecops
TROJAN_Klom	1.2	17 months	jonkman	2003537 2003538: sid conflict
TROJAN_Lager.Win32	1.4	19 months	jonkman	New
TROJAN_MisleadApp	1.1	12 months	jonkman	: new from Scott Melnick
TROJAN_Mitglieder	1.4	2 years	jonkman	Removed depth,no longer valid
TROJAN_Nukebot	1.1	18 months	jonkman	: Nice find by websense
TROJAN_Nulprot	1.2	10 months	jonkman	2007669: added an anchor
TROJAN_Orderjack	1.1	2 years	fknobbe	SID 2002854: New sig from Tom Fisher to detect a Trojan Horse that steals bank d...
TROJAN_PPAgent	1.1	23 months	jonkman	: New from Russ McRee
TROJAN_PRG	1.6	8 months	bhartstein	sid:2007688 added reference
TROJAN_PWS-LDPinch	1.2	14 months	jonkman	2006385: new ones
TROJAN_PWS_Banker	1.5	3 years	mwarren	SID: 2001933: Added URL References
TROJAN_PWS_Generic	1.3	14 months	jonkman	2005384 2006384: Sid issue, geez
TROJAN_PassSickle	1.1	2 years	fknobbe	New sig for PassSickle trojan, by Tom F. (SID 2002859)
TROJAN_Poebot	1.1	13 months	jonkman	: New poebot stuff
TROJAN_Postcard	1.3	3 years	mwarren	SID: 2001919, 2001920, 2001921: Added URL References
TROJAN_Proxy.Win32.Agent.MX	1.1	13 months	jonkman	: New from scott melnick
TROJAN_QQHelper	1.2	12 months	jonkman	2007569: new from the sandnet
TROJAN_Ransky	1.1	2 years	jonkman	New, should be accurate
TROJAN_Sicklebot	1.1	2 years	jonkman	New by Tom Fischer
TROJAN_Small	1.1	16 months	jonkman	2003640 2003644 2003645: New useragents from castlecops
TROJAN_Snatch	1.2	17 months	jonkman	: typo fix
TROJAN_Socks666	1.2	11 months	jonkman	2006398: typo fix
TROJAN_SpamThru	1.1	22 months	jonkman	New from Joe Stewart
TROJAN_Srv.SSA-KeyLogger	1.1	3 years	jonkman	New, info from Eric Stites
TROJAN_Storm	1.9	9 months	jonkman	2006411 2007701 2007702: for the encrypted variant
TROJAN_Stormy	1.5	18 months	jonkman	2003435: typo
TROJAN_Torpig	1.3	23 months	jonkman	2003094: typo
TROJAN_Trojan.Win32.Qhost	1.1	12 months	jonkman	: new c&c
TROJAN_Vanquish	1.1	9 months	jonkman	: new trojan in the sandnet
TROJAN_Virtumonde	1.2	12 months	jonkman	2007285: more virtumonde
TROJAN_Virut	1.2	16 months	jonkman	2003603: typo fix
TROJAN_Vundo	1.1	12 months	jonkman	: love spyware
TROJAN_W32.VB.aie	1.1	2 years	jonkman	New from Tom Fischer
TROJAN_W32Agent.dsi	1.4	2 years	jonkman	2002792: Made more general by Tom Fischer
TROJAN_Warezov	1.17	13 months	jonkman	2006414: another typo, geex
TROJAN_Win32.Agent.Alt	1.3	12 months	jonkman	2007588 2007589 2007590 2007591: updated, removed flow to catch other variants
TROJAN_Win32.Agent.GRW	1.2	9 months	jgregory	Delete rule 2007665, as per Reg Quinton's request to bleeding-sigs mailing list ...
TROJAN_Win32.Agent.ajx	1.3	13 months	jonkman	2006448: typo fix
TROJAN_Win32.Agent.bea	1.1	12 months	jonkman	: from scott melnick
TROJAN_Win32.Agent.pt	1.1	10 months	jonkman	: another
TROJAN_Win32.Pakes	1.4	8 months	bhartstein	fix typo
TROJAN_Win32.Small.qh	1.1	12 months	jonkman	: new badness
TROJAN_Win32.Wopla	1.6	9 months	jonkman	2007604: update from shirkdog
TROJAN_XP_Keylogger	1.3	2 years	fknobbe	SIDs 2002938 2002940 2002941 2002942: Changed (and added) rules to provide direc...
TROJAN_Zlob	1.9	10 months	jonkman	2007567 2007636: Eliminating a fp
VIRUS_Bankem	1.3	16 months	jonkman	2002693 2002694 2002695 2002696: Cleanup and broadening
VIRUS_BugBear	1.4	2 years	fknobbe	SIDs 2001764 2001765 2001766: Removed space behind reference to avoid duplicate ...
VIRUS_Nugache	1.2	2 years	bhartstein	sid: 2002892, 2002893, 2002894, 2002895, 2002731, 2002898, 2002899, 2002899; man...
VIRUS_PE_Headers	1.4	16 months	jonkman	2003614 2003615: typo fix
VIRUS_Polymorphic_Experimental	1.2	22 months	jonkman	2003118 2003119 < #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-ED...
VIRUS_Sality	1.6	9 months	fknobbe	Added missing VIRUS label in SIDs 2003636 2003651.
VIRUS_Sober	1.51	16 months	jonkman	2001284 2001285 2001542 2001577 2001578 2001749 2001750 2001881 2001913 2001914 ...
VIRUS_Sobig_Trojan_Download_Request	1.6	3 years	mwarren	SID: 2001547: Added URL References
VIRUS_Trojan-Spy.Win32.Bancos	1.8	14 months	jonkman	2004114: Disabling for falses
VIRUS_Webber-Berbrew	1.6	2 years	jonkman	Name and content changes, disabling old useless sigs
VIRUS_Win32_AV-Killer	1.1	15 months	jonkman	: more
VIRUS_Win32_Mailer	1.9	19 months	jonkman	New
WORM_AIM_Bot	1.7	16 months	jonkman	2001905: cleanup
WORM_ATAK	1.12	2 years	fknobbe	SIDs 2000494: Removed space behind reference to avoid duplicate reference_system...
WORM_Allaple	1.8	17 months	jonkman	2003484: Adding threshold
WORM_Bagle_Variants	1.92	16 months	jonkman	2000561 2001064 2001065 2001270 2001292 2001390 2001391 2001556 2001567 2001568 ...
WORM_Bropia	1.7	2 years	jonkman	Name and content changes, disabling old useless sigs
WORM_CIA	1.6	13 months	jonkman	2001233: Fixing typo in msg
WORM_Evaman	1.9	2 years	fknobbe	Removed duplicate Evaman sig (2001290)
WORM_KORGO	1.11	13 months	jonkman	2003070: New korgo has a - in the url ver string, updated pcre
WORM_Kelvir	1.4	3 years	jonkman	New sigs by Scott Melnick
WORM_MySQL	1.9	19 months	jonkman	Cleaning up old sigs, obsoleted
WORM_Nometz	1.2	2 years	jonkman	Name and content changes, disabling old useless sigs
WORM_Novarg	1.10	2 years	jonkman	Name and content changes, disabling old useless sigs
WORM_Opaserv	1.4	2 years	fknobbe	SIDs 2001763: Removed space behind reference to avoid duplicate reference_system...
WORM_PHPInclude	1.8	2 years	fknobbe	SIDs 2001615 2001723 2001841 2001961 2001962 2001963 2001964 2001965 2001966 200...
WORM_PnP	1.2	2 years	jonkman	Name and content changes, disabling old useless sigs
WORM_Pyks	1.2	9 months	fknobbe	Changed label in SIDs 2003588 2003589.
WORM_RBOT	1.28	16 months	jonkman	2001184 2001220 2001367 2001554 2001584 2001676: cleaning up
WORM_Sasser	1.19	2 years	jonkman	Dropping 2001286: Snort.org sigs cover this better
WORM_Singworm	1.1	12 months	jonkman	: New from the SecureCiRT Team
WORM_Suspicious_Extensions	1.7	2 years	jonkman	Name and content changes, disabling old useless sigs
WORM_Web_Bots	1.6	17 months	jonkman	2002930: cleanup

Show files using tag:	Select Branch MAIN HEAD

Download tarball

---

CVS Admin Powered by ViewCVS 1.0-dev

ViewCVS and CVS Help