alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emold.C Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?v="; fast_pattern; content:"&rs="; distance:0; content:"&n="; distance:0; pcre:"/\.php\?v\x3d\d+?\x26rs\x3d(?:(?:\d+?\x2d){3})?\d+?\x26n\x3d\d/i"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C; reference:md5,49205774f0ff7605c226828e080238f3; classtype:command-and-control; sid:2016251; rev:7; metadata:created_at 2011_10_19, malware_family Win32_Emold_C, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_18;)