[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Possible FP's on 2007840 (User-agent: Shell)
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2008-02-22 18:19:26
Message-ID: 47BF122E.3000104 () jonkmans ! com
[Download RAW message or body]

The malware I had caught was a trojan grabbing URLs like:

http:// 125.65.xx.xx/guama1/7.jpg

These were actually executables of course. Well detected, Kaspersky
called the malware Trojan-Downloader.Win32.Agent.blm. Most all called it
just some generic downloader.

Only had one sample using that useragent, and haven't seen any in the
week or so since. Some initial googling didn't show me any legit uses of
that.

What did your hits look like?

Matt

Reg Quinton wrote:
> I'm getting alarms on this signature -- all point to clients installing some
> app from msnshell.com. I've pulled down several and submitted each to the
> various on-line AV tests (jotti and virustotal) and none come up bad.
> 
> I have no evidence that there is in fact anything malicious going on, does
> anyone else?
> 
> I am, Reg Quinton <reggers at ist.uwaterloo.ca>
>       Senior Technologist, Security
>       Information Systems and Technology
>       University of Waterloo, 200 University Ave W
>       Waterloo, Ontario N2L 3G1 Canada
>       +1 519 888-4567x36070
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



[prev in list] [next in list] [prev in thread] [next in thread]