winhe800 trjoan

[Crusty Saint <saintcrusty () gmail com>]

Hi,

I've just come across a machine which has been repeatedly infected with a
more or less recent Trojan recognisable by the winhe800.exe filename.

Little information exists and is not 100% consistent. Evidence was deleted
by over zealous admin so i cannot simply try and build a custom rule for
this.

Anyone out there having a resource or rule available for usage ? I've found
reference to dropper but no usefull sig in the ruleset(s). Also no usefull
result in threatexpert, virustotal or others.

No specific rule for winhe800.exe etc.

Resources

( only works from webcache )
http://webcache.googleusercontent.com/search?q=cache:HvFwmWx3I2EJ:xml.ssdsandbox.net/view/bf7b927f7e737a49cb46c25a447fa254+winhe800+url&cd=3&hl=nl&ct=clnk&gl=nl&source=www.google.nl

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=556848#none
http://vil.nai.com/vil/content/v_472810.htm

http://download.globalhauri.com/customer/security/virus_view.html?intSeq=2251&page=14&keyfield=&key=&SelectPart=
http://www.hauri.co.kr/customer/security/virus_view.html?intSeq=2251&page=12&keyfield=&key=&SelectPart=1


Best Regards,

S.C.

-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!