Sourcefire VRT Update

Date: 2006-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.

The format of the file is:

sid - Message (rule group)

New rules:
6472 - BACKDOOR bugs runtime detection - file manager client-to-server (backdoor.rules)
6473 - BACKDOOR bugs runtime detection - file manager server-to-client (backdoor.rules)
6474 - BACKDOOR w32.loosky.gen@mm runtime detection - notification (backdoor.rules)
6475 - BACKDOOR badrat 1.1 runtime detection - flowbit set (backdoor.rules)
6476 - BACKDOOR badrat 1.1 runtime detection (backdoor.rules)
6477 - SPYWARE-PUT Hacker-Tool beee runtime detection - smtp (spyware-put.rules)
6478 - SPYWARE-PUT Trackware searchingall toolbar runtime detection - send user url request (spyware-put.rules)
6479 - SPYWARE-PUT Snoopware totalvelocity zsearch runtime detection (spyware-put.rules)
6480 - SPYWARE-PUT Hijacker cws.cameup runtime detection - home page (spyware-put.rules)
6481 - SPYWARE-PUT Hijacker cws.cameup runtime detection - search (spyware-put.rules)
6482 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - get info (spyware-put.rules)
6483 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - home page hijacker (spyware-put.rules)
6484 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - search (spyware-put.rules)
6485 - SPYWARE-PUT Adware spyfalcon runtime detection - action report (spyware-put.rules)
6486 - SPYWARE-PUT Adware spyfalcon runtime detection - notification (spyware-put.rules)
6487 - SPYWARE-PUT Adware searchnugget toolbar runtime detection - check updates (spyware-put.rules)
6488 - SPYWARE-PUT Adware searchnugget toolbar runtime detection - redirect mistyped urls (spyware-put.rules)
6489 - SPYWARE-PUT Hijacker analyze IE runtime detection - default page hijacker (spyware-put.rules)
6490 - SPYWARE-PUT Dialer yeaknet runtime detection - home page hijacker (spyware-put.rules)
6491 - SPYWARE-PUT Dialer yeaknet runtime detection - post-installation (spyware-put.rules)
6492 - SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - notification (spyware-put.rules)
6493 - SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - post data (spyware-put.rules)
6494 - SPYWARE-PUT Adware yourenhancement runtime detection (spyware-put.rules)
6495 - SPYWARE-PUT Hijacker troj_spywad.x runtime detection (spyware-put.rules)
6496 - SPYWARE-PUT Adware adpowerzone runtime detection (spyware-put.rules)
6497 - BACKDOOR exploiter 1.0 runtime detection (backdoor.rules)
6498 - BACKDOOR exploiter 1.0 runtime detection (backdoor.rules)
6499 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules)
6500 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules)
6501 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules)
6502 - WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0 (web-client.rules)
6503 - WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0 (web-client.rules)
6504 - WEB-CLIENT Sophos Anti-Virus CAB file overflow attempt (web-client.rules)
6505 - WEB-CLIENT quicktime fpx file SectNumMiniFAT overflow attempt (web-client.rules)
6506 - WEB-CLIENT quicktime udta atom overflow attempt (web-client.rules)
6507 - WEB-MISC novell edirectory imonitor overflow attempt (web-misc.rules)
6508 - EXPLOIT EMC retrospect client crafted packet overflow attempt (exploit.rules)
6509 - WEB-CLIENT Internet Explorer mhtml uri href buffer overflow attempt (web-client.rules)
6510 - WEB-CLIENT Internet Explorer mhtml uri shortcut buffer overflow attempt (web-client.rules)
6511 - WEB-MISC ALT-N WebAdmin user param overflow attempt (web-misc.rules)
6512 - EXPLOIT symantec antivirus realtime virusscan overflow attempt (exploit.rules)

Updated rules:
 731 - DELETED Virus - Possible QAZ Worm (deleted.rules)
 732 - DELETED Virus - Possible QAZ Worm Infection (deleted.rules)
 733 - DELETED Virus - Possible QAZ Worm Calling Home (deleted.rules)
 738 - DELETED Virus - Possible Pikachu Pokemon Virus (deleted.rules)
 739 - DELETED Virus - Possible Triplesix Worm (deleted.rules)
 740 - DELETED Virus - Possible Tune.vbs (deleted.rules)
 741 - DELETED Virus - Possible NAIL Worm (deleted.rules)
 742 - DELETED Virus - Possible NAIL Worm (deleted.rules)
 743 - DELETED Virus - Possible NAIL Worm (deleted.rules)
 744 - DELETED Virus - Possible NAIL Worm (deleted.rules)
 745 - DELETED Virus - Possible Papa Worm (deleted.rules)
 746 - DELETED Virus - Possible Freelink Worm (deleted.rules)
 748 - DELETED Virus - Possible BADASS Worm (deleted.rules)
 749 - DELETED Virus - Possible ExploreZip.B Worm (deleted.rules)
 751 - DELETED Virus - Possible wscript.KakWorm (deleted.rules)
 752 - DELETED Virus Possible Suppl Worm (deleted.rules)
 753 - DELETED Virus - Possible NewApt.Worm - theobbq.exe (deleted.rules)
 754 - DELETED Virus - Possible Word Macro - VALE (deleted.rules)
 755 - DELETED Virus - Possible IROK Worm (deleted.rules)
 756 - DELETED Virus - Possible Fix2001 Worm (deleted.rules)
 757 - DELETED Virus - Possible Y2K Zelu Trojan (deleted.rules)
 758 - DELETED Virus - Possible The_Fly Trojan (deleted.rules)
 759 - DELETED Virus - Possible Word Macro - VALE (deleted.rules)
 760 - DELETED Virus - Possible Passion Worm (deleted.rules)
 761 - DELETED Virus - Possible NewApt.Worm - cooler3.exe (deleted.rules)
 762 - DELETED Virus - Possible NewApt.Worm - party.exe (deleted.rules)
 763 - DELETED Virus - Possible NewApt.Worm - hog.exe (deleted.rules)
 764 - DELETED Virus - Possible NewApt.Worm - goal1.exe (deleted.rules)
 765 - DELETED Virus - Possible NewApt.Worm - pirate.exe (deleted.rules)
 766 - DELETED Virus - Possible NewApt.Worm - video.exe (deleted.rules)
 767 - DELETED Virus - Possible NewApt.Worm - baby.exe (deleted.rules)
 768 - DELETED Virus - Possible NewApt.Worm - cooler1.exe (deleted.rules)
 769 - DELETED Virus - Possible NewApt.Worm - boss.exe (deleted.rules)
 770 - DELETED Virus - Possible NewApt.Worm - g-zilla.exe (deleted.rules)
 771 - DELETED Virus - Possible ToadieE-mail Trojan (deleted.rules)
 772 - DELETED Virus - Possible PrettyPark Trojan (deleted.rules)
 773 - DELETED Virus - Possible Happy99 Virus (deleted.rules)
 775 - DELETED Virus - Possible Bubbleboy Worm (deleted.rules)
 776 - DELETED Virus - Possible NewApt.Worm - copier.exe (deleted.rules)
 777 - DELETED Virus - Possible MyPics Worm (deleted.rules)
 778 - DELETED Virus - Possible Babylonia - X-MAS.exe (deleted.rules)
 779 - DELETED Virus - Possible NewApt.Worm - gadget.exe (deleted.rules)
 780 - DELETED Virus - Possible NewApt.Worm - irnglant.exe (deleted.rules)
 781 - DELETED Virus - Possible NewApt.Worm - casper.exe (deleted.rules)
 782 - DELETED Virus - Possible NewApt.Worm - fborfw.exe (deleted.rules)
 783 - DELETED Virus - Possible NewApt.Worm - saddam.exe (deleted.rules)
 784 - DELETED Virus - Possible NewApt.Worm - bboy.exe (deleted.rules)
 785 - DELETED Virus - Possible NewApt.Worm - monica.exe (deleted.rules)
 786 - DELETED Virus - Possible NewApt.Worm - goal.exe (deleted.rules)
 787 - DELETED Virus - Possible NewApt.Worm - panther.exe (deleted.rules)
 788 - DELETED Virus - Possible NewApt.Worm - chestburst.exe (deleted.rules)
 789 - DELETED Virus - Possible NewApt.Worm - farter.exe (deleted.rules)
 791 - DELETED Virus - Possible NewApt.Worm - cupid2.exe (deleted.rules)
 792 - DELETED Virus - Possible Resume Worm (deleted.rules)
 794 - DELETED Virus - Possible Resume Worm (deleted.rules)
 799 - DELETED Virus - Possible Timofonica Worm (deleted.rules)
 800 - DELETED Virus - Possible Resume Worm (deleted.rules)
 802 - DELETED Virus - Possbile Zipped Files Trojan (deleted.rules)
 972 - DELETED WEB-IIS %2E-asp access (deleted.rules)
1508 - WEB-CGI alibaba.pl access (web-cgi.rules)
3534 - WEB-CLIENT Mozilla GIF single packet heap overflow - NETSCAPE2.0 (web-client.rules)
3535 - WEB-CLIENT GIF transfer (web-client.rules)
3536 - WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0 (web-client.rules)
5851 - SPYWARE-PUT Adware warez_p2p runtime detection - .txt .dat and .lst requests (spyware-put.rules)
6025 - BACKDOOR tequila bandita 1.2 runtime detection - reverse connection (backdoor.rules)
6317 - BACKDOOR net demon runtime detection - file manager response (backdoor.rules)
6399 - BACKDOOR rad 1.2.3 runtime detection (backdoor.rules)