[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] SIG: Yahoo Messenger yt.dll ActiveX Remote Code Execution Attempt
From:       kevross33 () googlemail ! com (Kevin Ross)
Date:       2010-07-26 19:47:36
Message-ID: AANLkTimmdCejgv8-rG_jO-9_0qRqjXMsCWT0BX3iEmuq () mail ! gmail ! com
[Download RAW message or body]

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Possible Yahoo Messenger yt.dll ActiveX Remote Code Execution Attempt";
flow:established,to_client; content:"clsid"; nocase;
content:"72C24DD5-D70A-438B-8A42-98424B88AFB8"; nocase; distance:0;
content:"Run"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72C24DD5-D70A-438B-8A42-98424B88AFB8/si";
 classtype:attempted-user; reference:url,www.exploit-db.com/exploits/14473/;
sid:1234001; rev:1;)

Regards, Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100726/c20039d4/attachment.html



[prev in list] [next in list] [prev in thread] [next in thread]