spyeraser096.exe is one of those fake anti-virus malwares. It does a GET request to spyeraser.ir (193.104.110.81):
GET /statav.php?wmid=3&name=a0331bb5faf7707f HTTP/1.1
Host: spyeraser.ir
I used the file and parameter names for the signature:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"spyeraser096.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/statav.php?wmid="; uricontent:"&name="; sid:010120101;)
References:
Virustotal
ThreatExpert
GET /statav.php?wmid=3&name=a0331bb5faf7707f HTTP/1.1
Host: spyeraser.ir
I used the file and parameter names for the signature:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"spyeraser096.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/statav.php?wmid="; uricontent:"&name="; sid:010120101;)
References:
Virustotal
ThreatExpert
No comments:
Post a Comment