Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:3; metadata:created_at 2013_03_05, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)