Sourcefire VRT Update
Date: 2006-06-13
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.
The format of the file is:
sid - Message (rule group)
New rules: 6472 - BACKDOOR bugs runtime detection - file manager client-to-server (backdoor.rules) 6473 - BACKDOOR bugs runtime detection - file manager server-to-client (backdoor.rules) 6474 - BACKDOOR w32.loosky.gen@mm runtime detection - notification (backdoor.rules) 6475 - BACKDOOR badrat 1.1 runtime detection - flowbit set (backdoor.rules) 6476 - BACKDOOR badrat 1.1 runtime detection (backdoor.rules) 6477 - SPYWARE-PUT Hacker-Tool beee runtime detection - smtp (spyware-put.rules) 6478 - SPYWARE-PUT Trackware searchingall toolbar runtime detection - send user url request (spyware-put.rules) 6479 - SPYWARE-PUT Snoopware totalvelocity zsearch runtime detection (spyware-put.rules) 6480 - SPYWARE-PUT Hijacker cws.cameup runtime detection - home page (spyware-put.rules) 6481 - SPYWARE-PUT Hijacker cws.cameup runtime detection - search (spyware-put.rules) 6482 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - get info (spyware-put.rules) 6483 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - home page hijacker (spyware-put.rules) 6484 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - search (spyware-put.rules) 6485 - SPYWARE-PUT Adware spyfalcon runtime detection - action report (spyware-put.rules) 6486 - SPYWARE-PUT Adware spyfalcon runtime detection - notification (spyware-put.rules) 6487 - SPYWARE-PUT Adware searchnugget toolbar runtime detection - check updates (spyware-put.rules) 6488 - SPYWARE-PUT Adware searchnugget toolbar runtime detection - redirect mistyped urls (spyware-put.rules) 6489 - SPYWARE-PUT Hijacker analyze IE runtime detection - default page hijacker (spyware-put.rules) 6490 - SPYWARE-PUT Dialer yeaknet runtime detection - home page hijacker (spyware-put.rules) 6491 - SPYWARE-PUT Dialer yeaknet runtime detection - post-installation (spyware-put.rules) 6492 - SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - notification (spyware-put.rules) 6493 - SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - post data (spyware-put.rules) 6494 - SPYWARE-PUT Adware yourenhancement runtime detection (spyware-put.rules) 6495 - SPYWARE-PUT Hijacker troj_spywad.x runtime detection (spyware-put.rules) 6496 - SPYWARE-PUT Adware adpowerzone runtime detection (spyware-put.rules) 6497 - BACKDOOR exploiter 1.0 runtime detection (backdoor.rules) 6498 - BACKDOOR exploiter 1.0 runtime detection (backdoor.rules) 6499 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules) 6500 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules) 6501 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules) 6502 - WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0 (web-client.rules) 6503 - WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0 (web-client.rules) 6504 - WEB-CLIENT Sophos Anti-Virus CAB file overflow attempt (web-client.rules) 6505 - WEB-CLIENT quicktime fpx file SectNumMiniFAT overflow attempt (web-client.rules) 6506 - WEB-CLIENT quicktime udta atom overflow attempt (web-client.rules) 6507 - WEB-MISC novell edirectory imonitor overflow attempt (web-misc.rules) 6508 - EXPLOIT EMC retrospect client crafted packet overflow attempt (exploit.rules) 6509 - WEB-CLIENT Internet Explorer mhtml uri href buffer overflow attempt (web-client.rules) 6510 - WEB-CLIENT Internet Explorer mhtml uri shortcut buffer overflow attempt (web-client.rules) 6511 - WEB-MISC ALT-N WebAdmin user param overflow attempt (web-misc.rules) 6512 - EXPLOIT symantec antivirus realtime virusscan overflow attempt (exploit.rules) Updated rules: 731 - DELETED Virus - Possible QAZ Worm (deleted.rules) 732 - DELETED Virus - Possible QAZ Worm Infection (deleted.rules) 733 - DELETED Virus - Possible QAZ Worm Calling Home (deleted.rules) 738 - DELETED Virus - Possible Pikachu Pokemon Virus (deleted.rules) 739 - DELETED Virus - Possible Triplesix Worm (deleted.rules) 740 - DELETED Virus - Possible Tune.vbs (deleted.rules) 741 - DELETED Virus - Possible NAIL Worm (deleted.rules) 742 - DELETED Virus - Possible NAIL Worm (deleted.rules) 743 - DELETED Virus - Possible NAIL Worm (deleted.rules) 744 - DELETED Virus - Possible NAIL Worm (deleted.rules) 745 - DELETED Virus - Possible Papa Worm (deleted.rules) 746 - DELETED Virus - Possible Freelink Worm (deleted.rules) 748 - DELETED Virus - Possible BADASS Worm (deleted.rules) 749 - DELETED Virus - Possible ExploreZip.B Worm (deleted.rules) 751 - DELETED Virus - Possible wscript.KakWorm (deleted.rules) 752 - DELETED Virus Possible Suppl Worm (deleted.rules) 753 - DELETED Virus - Possible NewApt.Worm - theobbq.exe (deleted.rules) 754 - DELETED Virus - Possible Word Macro - VALE (deleted.rules) 755 - DELETED Virus - Possible IROK Worm (deleted.rules) 756 - DELETED Virus - Possible Fix2001 Worm (deleted.rules) 757 - DELETED Virus - Possible Y2K Zelu Trojan (deleted.rules) 758 - DELETED Virus - Possible The_Fly Trojan (deleted.rules) 759 - DELETED Virus - Possible Word Macro - VALE (deleted.rules) 760 - DELETED Virus - Possible Passion Worm (deleted.rules) 761 - DELETED Virus - Possible NewApt.Worm - cooler3.exe (deleted.rules) 762 - DELETED Virus - Possible NewApt.Worm - party.exe (deleted.rules) 763 - DELETED Virus - Possible NewApt.Worm - hog.exe (deleted.rules) 764 - DELETED Virus - Possible NewApt.Worm - goal1.exe (deleted.rules) 765 - DELETED Virus - Possible NewApt.Worm - pirate.exe (deleted.rules) 766 - DELETED Virus - Possible NewApt.Worm - video.exe (deleted.rules) 767 - DELETED Virus - Possible NewApt.Worm - baby.exe (deleted.rules) 768 - DELETED Virus - Possible NewApt.Worm - cooler1.exe (deleted.rules) 769 - DELETED Virus - Possible NewApt.Worm - boss.exe (deleted.rules) 770 - DELETED Virus - Possible NewApt.Worm - g-zilla.exe (deleted.rules) 771 - DELETED Virus - Possible ToadieE-mail Trojan (deleted.rules) 772 - DELETED Virus - Possible PrettyPark Trojan (deleted.rules) 773 - DELETED Virus - Possible Happy99 Virus (deleted.rules) 775 - DELETED Virus - Possible Bubbleboy Worm (deleted.rules) 776 - DELETED Virus - Possible NewApt.Worm - copier.exe (deleted.rules) 777 - DELETED Virus - Possible MyPics Worm (deleted.rules) 778 - DELETED Virus - Possible Babylonia - X-MAS.exe (deleted.rules) 779 - DELETED Virus - Possible NewApt.Worm - gadget.exe (deleted.rules) 780 - DELETED Virus - Possible NewApt.Worm - irnglant.exe (deleted.rules) 781 - DELETED Virus - Possible NewApt.Worm - casper.exe (deleted.rules) 782 - DELETED Virus - Possible NewApt.Worm - fborfw.exe (deleted.rules) 783 - DELETED Virus - Possible NewApt.Worm - saddam.exe (deleted.rules) 784 - DELETED Virus - Possible NewApt.Worm - bboy.exe (deleted.rules) 785 - DELETED Virus - Possible NewApt.Worm - monica.exe (deleted.rules) 786 - DELETED Virus - Possible NewApt.Worm - goal.exe (deleted.rules) 787 - DELETED Virus - Possible NewApt.Worm - panther.exe (deleted.rules) 788 - DELETED Virus - Possible NewApt.Worm - chestburst.exe (deleted.rules) 789 - DELETED Virus - Possible NewApt.Worm - farter.exe (deleted.rules) 791 - DELETED Virus - Possible NewApt.Worm - cupid2.exe (deleted.rules) 792 - DELETED Virus - Possible Resume Worm (deleted.rules) 794 - DELETED Virus - Possible Resume Worm (deleted.rules) 799 - DELETED Virus - Possible Timofonica Worm (deleted.rules) 800 - DELETED Virus - Possible Resume Worm (deleted.rules) 802 - DELETED Virus - Possbile Zipped Files Trojan (deleted.rules) 972 - DELETED WEB-IIS %2E-asp access (deleted.rules) 1508 - WEB-CGI alibaba.pl access (web-cgi.rules) 3534 - WEB-CLIENT Mozilla GIF single packet heap overflow - NETSCAPE2.0 (web-client.rules) 3535 - WEB-CLIENT GIF transfer (web-client.rules) 3536 - WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0 (web-client.rules) 5851 - SPYWARE-PUT Adware warez_p2p runtime detection - .txt .dat and .lst requests (spyware-put.rules) 6025 - BACKDOOR tequila bandita 1.2 runtime detection - reverse connection (backdoor.rules) 6317 - BACKDOOR net demon runtime detection - file manager response (backdoor.rules) 6399 - BACKDOOR rad 1.2.3 runtime detection (backdoor.rules)
